{
	"id": "e640b172-eeb2-48e4-9960-1f97ccdb34db",
	"created_at": "2026-04-06T00:14:48.697387Z",
	"updated_at": "2026-04-10T03:30:47.822962Z",
	"deleted_at": null,
	"sha1_hash": "873ca9e2a04e931df0da8b588f95e85d123b5e82",
	"title": "Cr1ptT0r Ransomware Infects D-Link NAS Devices, Targets Embedded Systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2352224,
	"plain_text": "Cr1ptT0r Ransomware Infects D-Link NAS Devices, Targets Embedded\r\nSystems\r\nBy Ionut Ilascu\r\nPublished: 2019-02-22 · Archived: 2026-04-05 21:55:27 UTC\r\nA new ransomware called Cr1ptT0r built for embedded systems targets network attached storage (NAS) equipment exposed\r\nto the internet to encrypt data available on it.\r\nCr1ptT0r  was first discovered in the BleepingComputer forums where users stated that their D-Link DNS-320 devices were\r\ninfected by the ransomware. D-Link no longer sells the DNS-320 enclosure but the product page indicates that it is still\r\nsupported. However, the newest firmware revision came out in 2016 and there are plenty of known bugs that can be\r\nleveraged to compromise the equipment.\r\nScanning the malicious ELF binary on Thursday showed a minimum detection rate on VirusTotal, with only one antivirus\r\nengine identifying Cr1ptT0r as a threat. At the time of publishing, the malware is picked up by at least six antivirus engines.\r\nhttps://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nOld firmware is a sitting duck\r\nDetails are scarce at the moment, but BleepingComputer forum members offer information suggesting that the attack vector\r\nis most likely vulnerabilities in old firmware. A member of the Cr1ptT0r team confirmed this to us, saying that there are so\r\nmany vulnerabilities in D-Link DNS-320 NAS models that they should be built from scratch to make things better.\r\nAlthough old versions of the firmware for DNS-320 are known to be vulnerable to at least one bug leading to remote code\r\nexecution, a hard-coded backdoor was published in 2018 for ShareCenter DNS‑320L.\r\nSome users affected by Cr1ptT0r admitted to having an outdated firmware version installed and that their device was\r\nexposed to the internet at the time of the attack.\r\nThe malware drops two plain text files on the infected devices. One is the ransom note called\r\n\"_FILES_ENCRYPTED_README.txt,\" which gives information to the victim on how to get more details about what\r\nhappened and how to reach the ransomware operators to pay the ransom in exchange for the file decryption key.\r\nh/t Desdra\r\nThe ransom note points the victim to the Cr1ptT0r decryption service, which holds the same contact details and the steps for\r\ngetting the unlock key.\r\nTo verify that they can decrypt the data, the operators offer to unlock the first file for free.\r\nThe other text file has the name \"_cr1ptt0r_support.txt\" and stores the address of a website in the Tor network. This is a\r\nsupport URL that victims can provide if they are at a loss about what to do; it enables a remote shell on an infected device if\r\nit is online. The Cr1ptT0r group member added that the URLs and IP addresses are not logged, so there is no correlation\r\nbetween data and the victim.\r\nAlthough the Cr1ptT0r member says they are just interested in getting paid and that spying is not on their agenda, they\r\ncannot guarantee privacy.\r\nSynolocker decryption keys also available\r\nKeys for unlocking files are sold via OpenBazaar marketplace, for BTC 0.30672022 (about $1,200 at the current Bitcoin\r\nprice). There is also an option to pay less for individual file decryption. The cost for this is $19.99 and you have to send the\r\nencrypted file to receive it decrypted.\r\nA recent update to the OpenBazaar store page shows that the operator of the ransomware also offers decryption keys for\r\nSynolocker for the same price. This ransomware strain did serious damage back in 2014 when it infected NAS servers from\r\nSynology that ran outdated versions of the DiskStation Manager containing two vulnerabilities. This was possible despite\r\nthe vendor releasing the patches at least eight months before.\r\nThe crew behind Synolocker shut down their website in mid-2014 and offered to sell in bulk all the unclaimed decryption\r\nkey they had for 200 BTC (about $100,000 at the time), over 5,500 of them. The crew announced that when all the databases\r\nhttps://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/\r\nPage 3 of 5\n\nwould be permanently deleted when closing the website.\r\nToday, matching the private key that unlocks the data in lack of a victim ID is possible via by brute-forcing, a process that is\r\nfairly quick in this case, with a few minutes to complete, the ransomware handler told us.\r\nNo extension added to locked files\r\nThe ransomware, which is an ELF ARM binary, does not append a specific extension to the encrypted data, but security\r\nresearcher Michael Gillespie did a brief analysis of the malware and the files it encrypts and found it added the end-of-file\r\nmarker \"_Cr1ptT0r_\"\r\nHe also says that the strings he noticed suggest that this ransomware strain uses the Sodium crypto library and that it uses\r\nthe \"curve25519xsalsa20poly1305\" algorithm for asymmetric encryption. We received confirmation about these details from\r\nthe Cr1ptT0r group member we talked to.\r\nThe public key (256-bit) used for encrypting the data is available in a separate file named \"cr1ptt0r_logs.txt,\" which stores a\r\nlist of the encrypted files as well, and it is also appended at the end of the encrypted files, just before the marker. Gillespie\r\nsays that it matches the encryption algorithm he noted above.\r\nAt the moment, the ransomware handler seems interested in targeting NAS devices, which are popular with small businesses\r\nto store and share data internally. This is likely the reason for the steep ransom demand.\r\nCr1ptT0r is new on the market, but it looks like it's planning a long stay. It is built for Linux systems, with a focus on\r\nembedded devices, but it can be adapted to Windows, too, according to its maker. The end game is making money, and, as\r\nsomeone familiar with this sort of business told us, it can have an almost infinite return on investment. The malware does\r\nnot have a significant presence at the moment but it could turn into a nasty threat.\r\nUpdate 2/27/19: D-Link issued a security advisory for this ransomware.\r\nIOCs\r\nHash:\r\n9a1de00dbc07271a27cb4806937802007ae5a59433ca858d52678930253f42c1\r\nFile names:\r\ncr1ptt0r\r\nhttps://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/\r\nPage 4 of 5\n\nRansom note text:\r\nAll your files have been encrypted using strong encryption!\r\nFor more information visit our website: https://openbazaar.com/store/home/QmcVHJWngBD67hhqXipFvhHcgv1RYLBGcpthew7d9pC3rq\r\nIf the website is unavailable you need to download the OpenBazaar application from: https://openbazaar.org/download/\r\nYou can then visit the store via this url: ob://QmcVHJWngBD67hhqXipFvhHcgv1RYLBGcpthew7d9pC3rq/store\r\nWe are also reachable via these instant messaging sotwares:\r\ntoxchat: https://tox.chat/download.html\r\nUser ID: AE737ECB916BE24B41543BAD5B24710C5B9DB701592013A6EBBCC0A544931E6145C7D950B82F\r\nbitmessage: https://bitmessage.org/wiki/Main_Page\r\nUser ID: BM-NBcQxmkfyoVxSRE8WJQqEbXw1s63CMEq\r\nKind regards from the Cr1ptT0r team.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/\r\nhttps://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/\r\nPage 5 of 5\n\nthe vendor releasing The crew behind the patches Synolocker shut at least eight months down their website before. in mid-2014 and offered to sell in bulk all the unclaimed decryption\nkey they had for 200 BTC (about $100,000 at the time), over 5,500 of them. The crew announced that when all the databases\n   Page 3 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/"
	],
	"report_names": [
		"cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems"
	],
	"threat_actors": [
		{
			"id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d",
			"created_at": "2024-05-01T02:03:07.943593Z",
			"updated_at": "2026-04-10T02:00:03.795229Z",
			"deleted_at": null,
			"main_name": "BRONZE EDISON",
			"aliases": [
				"APT4 ",
				"DarkSeoul",
				"Maverick Panda ",
				"Salmon Typhoon ",
				"Sodium ",
				"Sykipot ",
				"TG-0623 ",
				"getkys"
			],
			"source_name": "Secureworks:BRONZE EDISON",
			"tools": [
				"Gh0st RAT",
				"Wkysol",
				"ZxPortMap"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0",
			"created_at": "2023-01-06T13:46:38.667954Z",
			"updated_at": "2026-04-10T02:00:03.061447Z",
			"deleted_at": null,
			"main_name": "APT4",
			"aliases": [
				"PLA Navy",
				"MAVERICK PANDA",
				"BRONZE EDISON",
				"SODIUM",
				"Salmon Typhoon"
			],
			"source_name": "MISPGALAXY:APT4",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337",
			"created_at": "2022-10-25T16:07:23.318008Z",
			"updated_at": "2026-04-10T02:00:04.539063Z",
			"deleted_at": null,
			"main_name": "APT 4",
			"aliases": [
				"APT 4",
				"Bronze Edison",
				"Maverick Panda",
				"Salmon Typhoo",
				"Sodium",
				"Sykipot",
				"TG-0623",
				"Wisp Team"
			],
			"source_name": "ETDA:APT 4",
			"tools": [
				"Getkys",
				"Sykipot",
				"Wkysol",
				"XMRig"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434488,
	"ts_updated_at": 1775791847,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/873ca9e2a04e931df0da8b588f95e85d123b5e82.pdf",
		"text": "https://archive.orkl.eu/873ca9e2a04e931df0da8b588f95e85d123b5e82.txt",
		"img": "https://archive.orkl.eu/873ca9e2a04e931df0da8b588f95e85d123b5e82.jpg"
	}
}