# Cr1ptT0r Ransomware Infects D-Link NAS Devices, Targets Embedded Systems **[bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/](https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/)** Ionut Ilascu By [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) February 22, 2019 06:18 AM 2 A new ransomware called Cr1ptT0r built for embedded systems targets network attached storage (NAS) equipment exposed to the internet to encrypt data available on it. [Cr1ptT0r was first discovered in the BleepingComputer forums where users stated that](https://www.bleepingcomputer.com/forums/t/691852/cr1ptt0r-ransomware-files-encrypted-readmetxt-support-topic/page-3) [their D-Link DNS-320 devices were infected by the ransomware. D-Link no longer sells](http://forums.dlink.com/index.php?topic=51407.0) the DNS-320 enclosure but the product page indicates that it is still supported. However, the [newest firmware revision came out in 2016 and there are plenty of known bugs that can be](https://support.dlink.com/ProductInfo.aspx?m=DNS-320) leveraged to compromise the equipment. [Scanning the malicious ELF binary on Thursday showed a minimum detection rate on](https://www.virustotal.com/#/file/9a1de00dbc07271a27cb4806937802007ae5a59433ca858d52678930253f42c1/detail) VirusTotal, with only one antivirus engine identifying Cr1ptT0r as a threat. At the time of publishing, the malware is picked up by at least six antivirus engines. ## Old firmware is a sitting duck Details are scarce at the moment, but BleepingComputer forum members offer information suggesting that the attack vector is most likely vulnerabilities in old firmware. A member of the Cr1ptT0r team confirmed this to us, saying that there are so many vulnerabilities in DLink DNS-320 NAS models that they should be built from scratch to make things better. ----- Although old versions of the firmware for DNS-320 are known to be vulnerable to at least [one bug leading to remote code execution, a hard-coded backdoor was published in 2018](http://roberto.greyhats.it/advisories/20120208-dlink-rce.txt) for [ShareCenter DNS‑320L.](https://eu.dlink.com/uk/en/products/dns-320l-sharecenter-2-bay-cloud-storage-enclosure) Some users affected by Cr1ptT0r admitted to having an outdated firmware version installed and that their device was exposed to the internet at the time of the attack. The malware drops two plain text files on the infected devices. One is the ransom note called "_FILES_ENCRYPTED_README.txt," which gives information to the victim on how to get more details about what happened and how to reach the ransomware operators to pay the ransom in exchange for the file decryption key. h/t Desdra The ransom note points the victim to the Cr1ptT0r decryption service, which holds the same contact details and the steps for getting the unlock key. To verify that they can decrypt the data, the operators offer to unlock the first file for free. The other text file has the name "_cr1ptt0r_support.txt" and stores the address of a website in the Tor network. This is a support URL that victims can provide if they are at a loss about what to do; it enables a remote shell on an infected device if it is online. The Cr1ptT0r group member added that the URLs and IP addresses are not logged, so there is no correlation between data and the victim. Although the Cr1ptT0r member says they are just interested in getting paid and that spying is not on their agenda, they cannot guarantee privacy. ## Synolocker decryption keys also available [Keys for unlocking files are sold via OpenBazaar marketplace, for BTC 0.30672022 (about](https://openbazaar.com/store/home/QmcVHJWngBD67hhqXipFvhHcgv1RYLBGcpthew7d9pC3rq) $1,200 at the current Bitcoin price). There is also an option to pay less for individual file decryption. The cost for this is $19.99 and you have to send the encrypted file to receive it ----- decrypted. A recent update to the OpenBazaar store page shows that the operator of the [ransomware also offers decryption keys for Synolocker for the same price. This](https://www.bleepingcomputer.com/forums/t/543426/synolocker-ransomware-targets-synology-nas-devices/) [ransomware strain did serious damage back in 2014 when it infected NAS servers from](https://www.synology.com/en-global/security/advisory/SynoLocker) Synology that ran outdated versions of the DiskStation Manager containing two vulnerabilities. This was possible despite the vendor releasing the patches at least eight months before. The crew behind Synolocker shut down their website in mid-2014 and offered to sell in bulk all the unclaimed decryption key they had for 200 BTC (about $100,000 at the time), over 5,500 of them. The [crew announced that when all the databases would be permanently](https://www.f-secure.com/weblog/archives/00002733.html) deleted when closing the website. Today, matching the private key that unlocks the data in lack of a victim ID is possible via by brute-forcing, a process that is fairly quick in this case, with a few minutes to complete, the ransomware handler told us. ## No extension added to locked files The ransomware, which is an ELF ARM binary, does not append a specific extension to the [encrypted data, but security researcher Michael Gillespie did a brief analysis of the malware](https://twitter.com/demonslay335) and the files it encrypts and found it added the end-of-file marker "_Cr1ptT0r_" ----- file marker, h/t [@demonslay335](https://twitter.com/demonslay335) He also says that the strings he noticed suggest that this ransomware strain uses the [Sodium crypto library and that it uses the "curve25519xsalsa20poly1305" algorithm for](https://umbrella.cisco.com/blog/2013/03/06/announcing-sodium-a-new-cryptographic-library/) asymmetric encryption. We received confirmation about these details from the Cr1ptT0r group member we talked to. The public key (256-bit) used for encrypting the data is available in a separate file named "cr1ptt0r_logs.txt," which stores a list of the encrypted files as well, and it is also appended at the end of the encrypted files, just before the marker. Gillespie says that it matches the encryption algorithm he noted above. At the moment, the ransomware handler seems interested in targeting NAS devices, which are popular with small businesses to store and share data internally. This is likely the reason for the steep ransom demand. Cr1ptT0r is new on the market, but it looks like it's planning a long stay. It is built for Linux systems, with a focus on embedded devices, but it can be adapted to Windows, too, according to its maker. The end game is making money, and, as someone familiar with this sort of business told us, it can have an almost infinite return on investment. The malware does not have a significant presence at the moment but it could turn into a nasty threat. ----- **[Update 2/27/19: D-Link issued a security advisory for this ransomware.](https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10110)** ### Related Articles: [QNAP alerts NAS customers of new DeadBolt ransomware attacks](https://www.bleepingcomputer.com/news/security/qnap-alerts-nas-customers-of-new-deadbolt-ransomware-attacks/) [QNAP warns of ransomware targeting Internet-exposed NAS devices](https://www.bleepingcomputer.com/news/security/qnap-warns-of-ransomware-targeting-internet-exposed-nas-devices/) [BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state](https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) ## IOCs ### Hash: ``` 9a1de00dbc07271a27cb4806937802007ae5a59433ca858d52678930253f42c1 File names: cr1ptt0r Ransom note text: All your files have been encrypted using strong encryption! For more information visit our website: https://openbazaar.com/store/home/QmcVHJWngBD67hhqXipFvhHcgv1RYLBGcpthew7d9pC3rq If the website is unavailable you need to download the OpenBazaar application from: https://openbazaar.org/download/ You can then visit the store via this url: ob://QmcVHJWngBD67hhqXipFvhHcgv1RYLBGcpthew7d9pC3rq/store We are also reachable via these instant messaging sotwares: toxchat: https://tox.chat/download.html User ID: AE737ECB916BE24B41543BAD5B24710C5B9DB701592013A6EBBCC0A544931E6145C7D950B82F bitmessage: https://bitmessage.org/wiki/Main_Page User ID: BM-NBcQxmkfyoVxSRE8WJQqEbXw1s63CMEq Kind regards from the Cr1ptT0r team. ``` [Cr1ptT0r](https://www.bleepingcomputer.com/tag/cr1ptt0r/) [DLink](https://www.bleepingcomputer.com/tag/dlink/) [NAS](https://www.bleepingcomputer.com/tag/nas/) ----- [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia. [Previous Article](https://www.bleepingcomputer.com/news/security/apple-adds-better-cross-site-tracking-prevention-in-ios-122-beta-and-safari-121/) [Next Article](https://www.bleepingcomputer.com/offer/deals/get-97-percent-off-the-machine-learning-and-data-science-certification-training-bundle/) ### Comments ----- [Bullwinkle-J-Moose - 3 years ago](https://www.bleepingcomputer.com/forums/u/1092878/bullwinkle-j-moose/) Remote code execution due to old firmware is irrelevant if I'm allowed to hardware write protect the drive Over 10 years ago, Western Digital's email response to my asking for hardware write protection was.... You cannot make required changes or get updates if the drive is write protected! My response to their response is still the same..... The entire contents are scanned for malware and this is DATA I NEED TO KEEP! There is no need for changes or updates! Seagate's response was equally lame and not listed here -----------------------------------------------------------------------------------Hello Manufacturers: We need to KEEP our data and stop relying on firmware updates that never work GET A CLUE! -------------------------------------But what if we NEED to make changes to the data? You Don't! Keep the old data write protected Timestamp the new data being written and figure out a way to write protect it immediately or stop selling this garbage altogether If I wanted temporary data, I'd just write it to RAM! ----- [woody188 - 3 years ago](https://www.bleepingcomputer.com/forums/u/1027758/woody188/) Why would anyone put their NAS on the Internet to begin with? Maybe should have hired a professional instead of asking your nephew who plays Fortnite and claims to know computers to set up your SMB devices. Doh! I know I'm blaming the victim but get a clue. Stupid is as stupid does. Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----