Cr1ptT0r Ransomware targets D-Link NAS Devices and embedded systems

Pierluigi Paganini February 23, 2019

A new piece of ransomware called Cr1ptT0r infects embedded systems and network attached storage (NAS) devices exposed online.

A new piece of ransomware called Cr1ptT0r was discovered by experts, it infects embedded systems and network attached storage (NAS) devices exposed online.

The discovery of the Cr1ptT0r ransomware was first reported on a discussion in the BleepingComputerforums. A user reported that its D-Link DNS-320 device was infected by malicious code.

The D-Link DNS-320 model is no more available for sale, one of the members of
the forum explained that the firmware of its NAS was never updated and its
device was exposed to WAN through ports 8080, FTP port 21, and a range of ports
for port forwarding.

The newest firmware revision is bated back 2016 and its known to be affected by several
bugs that can be exploited to compromise the device.

At the time of the discovery, the malicious ELF binary showed a minimum detection rate on VirusTotal.

Information shared by BleepingComputer forum members suggests attackers leveraged known flaws in old firmware, a circumstance that was confirmed by a member of the Cr1ptT0r team to us, saying that there are so many vulnerabilities in D-Link DNS-320 NAS models that they should be built from scratch to make things better.

The list of flaws in old versions of the firmware for D-Link DNS-320 includes at least a remote code execution vulnerability, and a hard-coded backdoor published in 2018 for ShareCenter DNS‑320L.

At the time of the discovery, the malicious ELF binary showed a minimum detection rate on VirusTotal.

Once the malware has infected a system drops two plain text files, one is a ransom note called “_FILES_ENCRYPTED_README.txt,” which gives information to the victim on what has happened and instruction to pay the ransom.


Cr1ptT0r ransom-note

Like other ransomware, the operators allow victims to unlock a file for free.

The second text file named “_cr1ptt0r_support.txt” includes the onion address for a website that offers support to the victims. The hidden service enables a remote shell on an infected device if it is online.

“The Cr1ptT0r group member added that the URLs and IP addresses are not logged, so there is no correlation between data and the victim.” wrote Bleeping Computer.

“Although the Cr1ptT0r member says they are just interested in getting paid and that spying is not on their agenda, they cannot guarantee privacy.”

Operators offer decryption keys via OpenBazaar marketplace, for BTC 0.30672022 (about $1,200). It is also possible to decrypt single files paying $19.99, in this case, victims have to send the encrypted file to the operators.

Bleeping Computer noticed that operators of the ransomware also offer decryption keys for the Synolocker ransomware for the same price. This second ransomware made the headlines in 2014 when it infected NAS servers from Synology that ran outdated versions of the DiskStation Manager.

No extension added to locked files

The ransomware is an ELF ARM binary that does not append a specific extension to the encrypted files.

The popular malware researcher Michael Gillespie discovered the ransomware adds the end-of-file marker “_Cr1ptT0r_” to the encrypted files.

“He also says that the strings he noticed suggest that this ransomware strain uses the Sodium crypto library and that it uses the “curve25519xsalsa20poly1305″ algorithm for asymmetric encryption. We received confirmation about these details from the Cr1ptT0r group member we talked to.” continues Bleeping Computer.

“The public key (256-bit) used for encrypting the data is available in a separate file named “cr1ptt0r_logs.txt,” which stores a list of the encrypted files as well, and it is also appended at the end of the encrypted files, just before the marker. Gillespie says that it matches the encryption algorithm he noted above.”

Even if Cr1ptT0r has appeared in the threat landscape recently, experts believe it will be a dangerous threats due to its ability to infect embedded systems and the possibility to adapt its code to infect Windows machines.

Further details, including IoCs are reported in the analysis published by Bleeping Computer.


[adrotate
banner=”9″]
[adrotate
banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Cr1ptT0r, ranomware)

[adrotate
banner=”5″]

[adrotate
banner=”13″]



you might also like

leave a comment