Synology users running the old versions of the DSM has been affected by attackers who hack into their synology, encrypt the files and then replace the DSM with a page asking for 0.6 bitcons ($350) as a ransom money for the password to unprotect the files.
Affected users may encounter the following symptoms:
- When attempting to log in to DSM, a screen appears informing users that data has been encrypted and a fee is required to unlock data.
- Abnormally high CPU usage or a running process called “synosync” (which can be checked atMain Menu > Resource Monitor).
- DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier; DSM 4.0-2257 or earlier is installed, but the system says no updates are available at Control Panel > DSM Update.
If you are affected, shut down your NAS immediatly and contact synology.
Synology is still working on this issue and investigating if the DSM 5.0 is also affected, but some users have been able to unlock their files by following these steps:
NOTE: I can not guarantee that this method will work for everybody. Some users have had success with it and none has reported problems so it should be safe, still, follow the steps at your own risk. (Review comments section for feedback).
1. Shut down the NAS
2. Remove all the hard drives from the NAS
3. Find a spare hard drive that you will not mind wiping and insert it into the NAS
4. Use Synology Assistant to find the NAS and install the latest DSM onto this spare hard drive (use the latest DSM_file.pat from Synology)
5. When the DSM is fully running on this spare hard drive, shut down the NAS from the web management console.
6. Remove the spare drive and insert ALL your original drives.
7. Power up the NAS and wait patiently. If all goes well after about a minute you will hear a long beep and the NAS will come online.
8. Use Synology Assistant to find the NAS. It should now be visible with the status “migratable”.
9. From Synology Assistant choose to install DSM to the NAS, use the same file you used in step 4 and specify the same name and IP address as it was before the crash.
10. Because the NAS is recognized as “migratable”, the DSM installation will NOT wipe out the data on either the system partition nor the data partition.
11. After a few minutes, the installation will finish and you will be able to log in to your NAS with your original credentials.
(Thanks to Mike for sharing this)
To increase the security of your NAS:
- Make sure you install ALL new updates from Synology. If you have not encountered the above symptoms, Synology strongly recommends downloading and installing DSM 5.0, or any version below:
- DSM 4.3-3827 or later
- DSM 4.2-3243 or later
- DSM 4.0-2259 or later
- DSM 3.x or earlier is not affected
- Block unauthorized people to access your NAS
- Change your SQL database password (if you are using one)
- Enable 2-step authentication for your admin password.
Synoguide 
Hi all…
I did exactly like described and lost all data… after installation NAS status was on migratable and after DSM installation data were deleted expect 10 photos…
crazy to present such a solution here. I am really pissed (first lack at Synology, then files ecrypted and now files lost).
Cheers, Eddie
LikeLike
sorry guys… I have to correct: once all these steps finalized I had to grant access to the folders (the old ones) and then they are visible and all is back.
I am still pis…. but more from this stupid hackers which I do not understand, and will never understand. How they can attack files (private fotos, videos etc.) anyway… good luck to all the victims 🙂
LikeLike
In my opinion, they should use their skills in something constructive, instead of destructive, but…the only thing we can do, is to keep the NAS up to date and secure.
Ruth
LikeLike
Hi, my has was also infected. I reinstalled via the steps mentioned above successfully. But I’m now at a point I’m wondering which files are encrypted? Can anyone tell how to find out? I have thousands of photo’s and don’t want to check all of them.
I do have a remote backup, what will happen when I’m making another backup? Will encrypted files on my source overwrite good files on my backup when making a new backup?
Not sure what steps I should make right now.
Thanks in advance!
Rene
LikeLike
Hi Rene,
I have not been affected by it, so I have not followed the steps myself. It is best if you ask the author about it: http://forum.synology.com/enu/viewtopic.php?f=3&t=88716.
Ruth
LikeLike
Thanks!
LikeLike
You welcome! /Ruth
LikeLike
Worked for me! Unfortunately the encrypted files are still encrypted, but at least I’m able to access all other data (which includes almost my entire video and music collection), so thanks for the tip!
LikeLike
Glad it worked! Let’s hope Synology finds a way to unlock the files. As soon I hear something from them, I will post an update. Thanks for letting me and other readers know.
/Ruth
LikeLike
I don’t have a spare HD so before buying one to try out these recovery steps, do you think installing the DSM on a USB HD (connected to the NAS) is possible?
Thanks in advance!
Thomas
LikeLike
Hi Thomas,
I don’t think so. This feature has been requested before, though: http://forum.synology.com/enu/viewtopic.php?f=3&t=39878
/Ruth
LikeLike