Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Albert-S

  1. Hi Amigo-A Thank you for your comment and I did add some screenshots (first I had to change the language, because I'm not using English). It turned out that the “configuration screen” was not correct translated, in the original English-layout it is called “control panel”. 😉 Anyway if you read the website of Synology it appears that for them security has a high priority and moreover they offer good bounty program on finding bugs. But this I would not regard as a bug: the problem are week default settings, without any appropriate warning or correction. To my opinion it should not be possible to access the NAS by Samba via internet at all, when the NAS has not been configured for internet access. And whist the protection available (<>protection given) is good, at the same time the possibilities to check the health of the system (when infected) appears to be limited.
  2. First of all I like to thank Emsisoft for the fine decryptor offerd, it was good feeling to have the date restored. In this contribution I want to reflect on how (in my opinion) to avoid further attacks on the NAS Synology as well as how to back-up when not using ‘cloud’ options. As Amigo said: Having done my homework now, I think those machines are not defenseless, but they are sold with all doors open, furthermore it takes knowledge to find the doors, windows, escapes etc. Unfortunately the helpdesk to my experience (in many ways) was not always helpful. Anyway no (relevant) update has been provided since December 2018. Checking the system As a general remark I have found no (new) traces of intrusion other than I have reported before. So let’s start with that. From package center you are able to install “Antivirus Essential”, which allows you to do a system-scan on the DSM software. As a nice to know: In case you want to deïnstall any package/program, you will first have to select (double click on a installed package) which brings you to a separate menu, where you can select delete from a dropdown. Please know, that a complete scan by antivirus includes all data could take days or weeks, but that could also be done using a regular antivirus scanner. A system scan however can be scheduled on a daily basis. I am not sure/doubt whether that the scanner will detect uninfected programs not installed by yourself and not been published by Synology and its partners, but I assume it will detect infected files. Secondly you would like to check the published cron-job’s. Those will be found in the control panel as task-manager. In that task-schedular you will find DSM auto-update and maybe some other tasks. Unfortunate you will not find all tasks. For instance a scheduled Antivirus scan will not appear. Also do check your access-logs as I wrote on April, 26th in this blog. I’m afraid there is no other opportunities available to check the system. Prevention The most important probably is to block guest account, check my message on April 18th. Moreover, one should avoid to use regular user names such as ‘guest’, ‘admin’ or ‘user’, those names are vulnerable in general, I have noticed some hacking attempts using those names. Then open “Security Advisor” from the programs (check the most left up icon to find all your programs) and directly go to the advanced settings. Here you probably will find that the setting is set to ‘home and personal use’, which offers only restricted protection. I like to suggest to change that to custom and then select all items, to allow you to evaluate in a further phase what protections does make sense for you. Now you go back to the main screen (Overvieuw) of the security advisor and press scan to see whether your protection is good. The Security Advisor will then make suggestion what to change and where to find relevant settings for your system. It will guide you to find-out which port-numbers to change, whether your passwords are good enough, and much more. A special attention I want to draw when using the NAS on internet. I would feel like not doing that, but if you do so, It is wise to have dedicated users for the internet usage, which users you should set to double verification when connecting such as pin-code verification via SMS or email, further it is wise to use encryption during data transfer, preferable by installing a valid certificate on your system. All those features are available on the NAS but they have to be activated by yourself. The general settings of Synology will give you a maximum access as easy as possible, but that will make it for others easy as well. For more info on this subject check the Synology website. You also want to check the firewall, which you can find in the configuration screen, item Security. I mention this point separately from the Security Advisor, because at this point the guiding is not as good. To use the firewall, you have to switch it on, and moreover you have to make your own firewall-rules. Again, don’t assume that default rules are good enough. So select a custom profile for the firewall profile and press the button change the rules. Relevant rules can be altered by selecting LAN on the up right dropdown. Now when you choose not to access your NAS via Internet I would recommend to close the ports for NTP-service, Bonjour, FTP, ATP, CIFS, NFS, Telnet and SSL. Those ports should be closed for all IP addresses ranging from to but not for those IP addresses (range) specifically used in your own network. B.t.w.: the NAS will not allow you to exclude yourself as long as you are logged in. Finally you want to be informed in case anything unexpected has happened. You can do that by configure your email account in the settings for e-mail which can be found from control panel, messages. Indeed you can select which type of messages you want receive and which not in the tabsheet advanced. Back-up When deciding not to use the internet for back-up one can use several external USB-drives to have a program for backups on save places and manual rotations. For this old school solution I have used Hyper-Backup, which can be installed from the package center. Hyper-backup allows you to have a time-machine file management, to compress data and avoiding duplicated data as well as it allows to encrypt the data. Encryption is a good idea as you (should) carry the USB disks to different locations. You then will require a password which generates a RSA-key, which password and/or key you need to store in a proper way to have an orderly future access to your data. Hyper-backup has a good interface. To have a back-up choose ‘local map & USB’, and then select as shared map the applicable USB-drive and the name of the backup. For each back-up drive you should choose a different task and a different name, as you then can continue with the other backup settings and finally the initial backup. As a consequence of compression, encryption etc, that initial backup could take several days. Of course the succeeding incremental backups are much quicker. So the next initial backup disk you want to increase the speed. This can be done by copying the data form one disk to another, where you only copy all data from that map in the root which carries the name of that backup you placed on the drive. On the new drive you will than change the name of that map to the new backup name. When now making a new backup task, again choose ‘local map & USB’ but then do not use standard the radio-button selection ‘make backup task’ but select ‘link to an existing backup task’. From here you select the new USB drive and the newly made map containing the initial or progressed backup data. You than have an initial backup right from the beginning. Summery The possibilities for checking the actual health of the system are available but this could be insufficient. Nonetheless, good methods for protecting the system exist, where the Security Advisor is essential to find the right protection. However, it requires the user not to rely on any default settings of Synology which in general can be described as week. Many Back-up solutions are offered including the ones which are off-line. Bottom-line there still is room to improve the product to make it more secure to a non-specialized public. To me it appears the message Synology send to us is: "We don’t care".
  3. Actually, I have found some good access logs: On the Synology NAS systems they can be found by first pressing main menu, than select the icon "Log-center", then select on the left side "log-books" from there use the dropdown and select the second item: "Connection" and then search for "guest" (all small caps). In that list I noted that 1 second before the encryption started a connection was made using smb2: Date/time: User [guest] from [description(IP adres)] via [CIFS(SMB2)] accessed shared folder [foldername]. The nice thing about this log is you can export it. Furthermore the following can be helpful as well: open the “configuration screen” and select security. After that enter the tab-sheet “account” and the first subject is about “enable automatic blocking”. In this subject there is a button “List allowed/blocked”. Press this button to open a new window where you select the tab-sheet “blocking list”. Here all blocked IP’s are listed. You can export this IP-deny-list file as well. I believe these files can be helpfull when reporting the ransomware to the police, which I have done.
  4. Thanks for all the answers. It did help me forward, though I did not worked on the linux programs yet. I however succeeded to restore some files by screening other backup’s on the post-content after the first 64kB of a file and comparing it with the .nampohyu files. I also succeeded to ‘repair’ a database by exchanging the first 64kB with an older version uncorrupted access-file. Note that this is a dirty way to repair, but after that I was able to copy the table content to other clean database, so I was lucky that it works. Anyway, as others I will look forward to a decryption-tool (the real solution) in future. If there is any information required for that, I believe we all are happy to give input. What I noticed is that only (the first part of) files with an specific extension had been encrypted. These extensions include: ‘pdf’, ‘jpg’, ‘doc/docx’, ‘xls/xlsx’ etc, it however does not include the extension: ‘exe’, ‘gif’, ‘html’, ‘png’, etc. Also files smaller than 16 bytes/128 bit (thus extremely small) are not encrypted. This logic is consistent to all what I have observed. Regarding the executable I was thinking that the exe-files have been infected by the attacker (using Samba by copying files) and inside this files, which could be triggered by the user itself there could be a code which created and started a separate process in the linux environment of the NAS itself (DSM). This could make sense if the attacker is not able to create or start directly a process which can be executed in the DSM.
  5. @pmarty @xfifi What I notice is that none of the .exe files of the attacked drives/partitions were encrypted, and thus exe-files do not have the ‘.nampohyu’ extensions. They still are regular executable files and are not encrypted. I wonder if you could affirm this observation? Further, I have found the infected executables by a virus on very unexpected directories, including the recycle bin, as well as that not all executables were infected by a virus. There is no logic (to me) in the directories to search for. But when you use windows-explore you should be able to search all the sub-directories. You also could check if there were more drives/partitions infected. In my case they attacked 4 drives/partitions and leave 6 drives/partitions unchanged, I assume that they had no access to the other drives/partitions.
  6. It appears that the “.NamPoHyu” ransomware is often attacking Synology NAS systems. This comment therefore is only related to Synology NAS systems. 1. Regular data-recovery is a no go: decryption is the only way to restore data! As GT500 said the chances for regular data recovery are already very low, since it is more likely that the data is overwritten than it has been copied. However in this case regular data recovery software does not allow you to access the NAS drives directly. Therefore, the following has been suggested: I have contacted the Synology helpdesk and the bad news is that the disk format is ext4 or BTRFS which a regular PC can't read. Moreover, for the Synology system no data recovery software exist that can recover files or folders. 2. Block the guest - account I have good reasons to assume that the guest-account on the system is a potential problem. I therefore recommend the following: Enter the configuration screen, open Users, select Guest, edit, select: switch off this account immediately & do it directly (no delay). Basically I believe you don’t want unknown ‘guests’ on your NAS. If you have other accounts you working with and you are logged in by one of those accounts, I suggest you do the same with the admin account, too. For more info on NAS check this forum too.
  7. @GT500 Thank you for your concern and the good work. However, I did not post the file on the forum, because I thought it is not a good habit to spread a potential virus on this platform So I have attached it in an email to: [email protected] // subject: referring to ransom message of Albert-S (including some typo's) I have mentioned my concerns regarding this executable on the forum at Tuesday 3:30 PM, EUROPE. Hope it finds well now, did not ment to confuse ... Since you mentioned only autherized persons can download, I tried to add the file to this post. But I can't: my virus-scanner does not allow me
  8. The .NamPoHuy is indeed terrible. Just to be sure of the symptoms: Pmarty/Xfifi: do you also have found some modified executables on your NAS (as I have described above), or was it an additional infection? Typically you would find these files when you search in explorer on ‘*.exe’ on the NAS and when you looking at the creation date of those files. When those creation-dates/times are very similar, quite recent and not matching with your installation, probably the executables were modified by the attacker. DO NOT USE/EXECUTE these files, it might be the trigger of the ransomware. What I did is, I changed the extension and stored the files on a USB stick. Doing so, my anti-virus program keeps alerting on those files. ADDED INFO: DO NOT erase the infected executables: You might need it as input at a later moment in time when someone is succeeding preparing a decryption tool to this virus. The best you could do is saving these files on a empty USB stick. Mind you that this type of ransomware is new on the market and we don’t know yet what will be required to put an end to the ransom. GT500 did you receive that file I had submitted on Sunday, and is it helpful for your analysis? Can I help with something more?
  9. Sounds you are close to find a solution and that there is hope for me, too Amigo-A! Thanks for your efforts! Looking forward on more details ...
  10. There is something more interesting on the encrypted files: The encryption speed seems to depend on the number of files; not on the size of the file. A very large file is ‘encrypted’ with the same speed a very small file. On average I calculated a speed of about 13 files a second. More analyzing shows to my first impression that only the first 64kB of each file is encrypted. This does however not mean that smaller files cannot be encrypted as well. What I further think is that encryption is done in blocks of 128 bit and when the filesize does not match the remaining few bytes are left as is, keeping the filesize unchanged
  11. Thank you all for your considerations. What I noticed is, that on the attached PC's there seem to be no infection. I have scanned all desktops with different virus scanners. What I further noticed is that file-size of the encrypted file is exactly the same with the original file size. And, as a suggested by GT500 I did check on the extension removal. I'm afraid that does not help. So this makes me believe that AES128-CBC is not the encryptor used, because otherwise I would find some block size filler. Or the encryptor just reduces the size of the last block. There is more interesting that I found: On March 24 th several executables (20 in total) on the targeted share of the NAS has been changed, all done within 10 minutes. Furthermore the virus scanner identified these files as infected. I submitted on Sunday evening a file called SecureLOCK.e_e a renamed exe-file, as well as I submitted some encrypted files in a prior mail. Furthermore, I was surprised by the speed of the encryption: Although the hardware is quite old, the within 2 hours time 350 GB (0,35 TB) has been encrypted. So the encryption process cannot be very complicated and it is very efficient. And to my knowledge during most of the time the encryption was done, none of the PC's were on. So I assume it was a process running on the NAS itself. But at the time the encryption started it could be that I triggered the process by executing one of the infected files mentioned above. I also noted that very rarely some files were skipped, the skipped files have generally a small files size. The encryption time was very fast. Especially when I compare it to the endless hours it takes to back-up all the encrypted an remaining unencrypted files on anther device.
  12. Got infected too, on a Synology NAS. what a desaster! However, not on all shares of the system were infected. Some shares were more protected, so I belive the criminals could not read/write all files on the NAS. The encrypted files have the extention ".nampohyu" - which to information I found also is "MegaLocker" Ransomware. It also is referred to NamPoHyu. in each encrypted directory I find a file called "!DECRYPT_INSTRUCTION.TXT" In this file it is said that the encryption is done by an AES - 128 CBC algorithm, which - if this is true - could be helpful information. Furthermore the files provides an unique ID which has a format of a 16 byte hexadecimal string. Could this been related to the key required? Anyway I have some few pdf -files which were encryped but from which I also have the originals. May be bruteforce could help to indentify? And as the name of the extention is different is this another subject - or - because this is MegaLocker too, it belongs to the same thread, and I have posted my comments correctly?
  • Create New...