It seems malware authors have recently taken a liking to the network-attached
storage (NAS) devices manufactured by Synology Inc. First they were hit by
Bitcoin mining malware in the beginning of this year and now by file
encrypting ransomware similar to CryptoLocker. NAS devices are used by home
and business users alike to easily store and share files over a network. Many,
like ones manufactured by Synology, also feature remote access. In this case,
it would seem hackers were able to abuse the remote access feature, possibly
by exploiting a vulnerability in older versions of the Synology DSM -operating
system, to gain access to the devices. Once they had access, they proceeded to
install a ransomware they have dubbed "SynoLocker".
Once the device has been infected with SynoLocker, the malware will proceed to
encrypt files stored on the device. It will search the device for files with
extensions matching a hardcoded list (shown below). Extensions are matched
such, that only the beginning of the extension needs to match the hardcoded
list. This means, for instance, that both .doc and .docx files will be
encrypted, since the list contains ".do".
Extension list hardcoded inside SynoLocker
Once all files ...