A few weeks ago, we covered news of Synology’s Dogecoin headache when the NAS and remote storage server developer discovered that its hardware had been hijacked for mining cryptocurrencies. Now, the company is going to be back in the unwelcome spotlight for a new flaw — an exploit dubbed SynoLocker is locking NASes unless the owners pay a ransom fee to decrypt their files.

According to Synology, the issue appears to impact internet-accessible versions of DSM 4.3, but Synology isn’t entirely clear on this point; the company’s literature refers to “non-updated versions of DSM 4.3” but doesn’t state exactly which those are. Regardless, we recommend you update your DSM version to either the latest 4.3 or upgrade to 5.0 (the final version released in March) if applicable and supported by your NAS hardware.

Synology also recommends the following:

Close all open ports for external access as soon as possible, and/or unplug your Disk/RackStation from your router. Update DSM to the latest version. Back up your data as soon as possible. Synology will provide further information as soon as it is available.

If your system has been infected, Synology recommends you do a hard unit shutdown and contact Synology Support as soon as possible. The company does not have a timeline for further disclosures but is holding on a formal blog post until it has nailed down precisely which versions of the software are impacted.

This looks worse the second time around

The first time Synology announced that it was having malware trouble in its equipment, it had great cover — the issue had actually been patched for months. It’s possible that thieves are simply exploiting the same flaws as earlier attacks, but it’s at least plausible they aren’t — presumably Synology would have been able to quickly identify that if it was the case.

Synology may have to take a page from Microsoft’s book and aggressively push users to update to later OS versions as a way of resolving security concerns. Users with Synology NASes in mission-critical deployments are going to have a hard time taking the product offline for an indefinite period of time as a means of resolving the problem. Synology is doing the responsible thing by recommending it, but it’s not a solution that customers can tolerate indefinitely.