Severity scale:  

SynoLocker virus. How to remove? (Uninstall guide)

removal by Lucia Danes - -   Also known as SynoLocker ransomware | Type: Ransomware

What is SynoLocker virus?

SynoLocker virus is a serious ransomware, which has ability to encrypt specific files that are kept on network-attached storage devices. Of course, after blocking connection to these files, virus asks to pay a ransom of $350 and claims that it will decrypt these files in exchange for this fee. Just like Cryptowall virus and similar ransomwares, as soon as SynoLocker encrypts files, it asks to pay a ransom in bitcoins via Tor browser. It is known that this cyber infection has attacked Synology servers. For those who don't know this company, we will say that it is a Taiwanese company that creates popular storage devices helping people store their files on the Internet. If you use storage devices of Synology, don't be surprised after discovering such notification:

Automated Decryption Service
All important files on this NAS have been encrypted using strong cryptography.

List of encrypted files is available here.

Follow these simple steps if files recovery is needed:

In this case, you should contact Synology support and power off the DiskStation. We also recommend scanning computer with reputable anti-spyware to make sure that it is free of this cyber threat. The latest victim of SynoLocker is the Chinese Medicine University. According to reports, virus managed to affect its storage devices and blocked the connection to 10,000 patient records.

How can SynoLocker virus infect my computer?

It's still unknown how hackers spread SynoLocker virus. According to some of security experts, this virus may got a chance to affect Synology servers because of the critical vulnerability that has recently been patched. In order to prevent infiltration of SynoLocker virus to your computer, you should always be careful with emails from such well known companies as Bank of America. If they are full of suspicious links, grammar or typo mistakes, there is a huge chance that these mails are used for spreading SynoLocker virus. Also, stay away from insecure websites and never fall for questionable alerts. If they offer you to update some of your programs, it might be that they are used for spreading this or other ransomwares, trojans and other seriously dangerous viruses. Finally, don't leave your PC without anti-virus and anti-spyware installed on the system because it can help you to prevent infiltration of previously mentioned viruses. If you think that your PC is infected with SynoLocker virus, you should follow this guide:

How to remove SynoLocker virus?

We have some bad news to you.. If SynoLocker virus infects computer or data storage device, there is the only method that can be used for decrypting files and this method is making a payment of $350 in bitcoins. Of course, we don't recommend that because by doing so you will support hackers and their dirty business. In order to remove SynoLocker virus from the system, we recommend using Reimage or SpyHunterCombo Cleaner. If you can't run these programs, follow the steps:

  1. Reboot you infected PC to 'Safe mode with command prompt' to disable virus (this should be working with all versions of this threat)
  2. Run Regedit
  3. Search for WinLogon Entries and write down all the files that are not explorer.exe or blank. Replace them with explorer.exe.
  4. Search the registry for these files you have written down and delete the registry keys referencing the files.
  5. Reboot and run a full system scan with updated anti-spyware.

However, if this works for you, it works just for unblocking computer.. We highly recommend thinking about the prevention of such infections. For that you can use previously mentioned programs. Besides, don't forget to think about the immunity of your files and backup. For that you can use USB external hard drives, CDs, DVDs, or simply rely on online backups, such as Google Drive, Dropbox, Flickr and other solutions.

do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.
SynoLocker virus snapshot
SynoLocker virus snapshot

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

Removal guides in other languages

  1. rhtoews says:
    August 12th, 2014 at 1:31 am

    This is clearly an “inside job”. The technique used was SQL Injection. As a computer scientist myself, I know exactly how to implement SQL Injection and how to design software to prevent such attacks. I had no idea that my Synology DS had a SQL interface which was vulnerable. I know that there were warning emails in January 2014, and Im pretty sure we complied with them, so I dont quite understand Synologys statements that the vulnerability was “fixed” after that.
    This attack was quite complex, so it was obviously planned well as way to make a lot of money by cyber extortion.
    I know that it is not too difficult to break any particular machine, but in this case the perpetuators broke into a whole lot of machines in just a few days. The passwords of any server can be broken with the right software and enough time, but we are not just talking about a few servers here. There are over 4.2 billion ip addresses on the Internet. Just how did the perpetuators know which ones to attack? You cant simply do a search for all Synology servers on the Internet and come up with a list of ip addresses in a practical amount of time. The list of ip addresses MUST have come from Synologys internal records which were based on product registrations and update downloads.
    I dont know if this attack happened because a disgruntled employee released the list of ip addresses or what, but the evidence says that the information necessary to execute this attack came from Synology itself, and they are responsible for the consequences.
    Robert Toews
    CEO, CompuCall, Inc.

Your opinion regarding SynoLocker virus