Source: The Register / Synology

Quote Originally Posted by Synology
We’d like to provide a brief update regarding the recent ransomware called “SynoLocker,” which is currently affecting certain Synology NAS servers.

We are fully dedicated to investigating this issue and possible solutions. Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. Furthermore, to prevent spread of the issue we have only enabled QuickConnect and Synology DDNS service to secure versions of DSM. At present, we have not observed this vulnerability in DSM 5.0.
Quote Originally Posted by The Register
Synology Diskstations and Rackstations are being hit by malware dubbed SynoLocker. The malware is a similar to the infamous Cryptolocker ransomware in that it encrypts all your files and then demands a ransom to unlock them.

The vulnerabilities that enable the malware appear to rely on hard-coded passwords to recommended configurations that involve exposing the administration page to the internet.

If you have exposed either or both of your Synology NAS' ports 5000 or 5001 to the internet then stop reading this article right now and go close those ports. These are the default HTTP and HTTPS web server ports for Synology and allow access to the administration page

In addition to allowing access to the administration page, these ports – and thus the same web server instance – are being used to serve up several components of the Synology offering. Services offered on these ports include DS Audio, DS Cam, DS file, DS finder, DS video, DS Download, Video Station, File station and Audiostation.

If you have opened ports for any of these services to the internet then you have also opened the Synology administration page. Be aware that if you use the Synology "EZ-Internet" router configuration utility it will open these vulnerable ports to the internet, so under no circumstances use this tool until the storm has passed, and Synology has worked out some better defaults.

If you need remote access to your Synology, it is highly recommended that you use a VPN to do so. If you are using the VPN provided by Synology, make sure it is up to date, as a known vulnerability exists in older versions.

To prevent your NAS from becoming infected:

  • A. Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router
  • B. Update DSM to the latest version
  • C. Backup your data as soon as possible
  • D. Synology will provide further information as soon as it is available.

If your NAS has been infected:

  • A. Do not trust/ignore any email from unauthorized/non-genuine Synology email. Synology email always has the “synology.com” address suffix.
  • B. Do a hard shutdown of your Disk/RackStation to prevent any further issues. This entails a long-press of your unit’s power button, until a long beep has been heard. The unit will shut itself down safely from that point.
  • C. Contact Synology Support as soon as possible, here.