Nasty Cr1ptT0r Ransomware: Threat to NAS
Data is a critical aspect for both individuals and companies. Without data companies cannot work nor can they provide what customers expect from them. Hence companies always need a storage media that is easily accessible. Because absence of data accessibility or loss of data contributes to potential loss of business. The most popular data storage solution used by companies these days is NAS. As this data storage solution incurs less investment, gives ease of operation, data backup and growth capability, it has become a personal favourite for both small and big companies.
Owing to which hackers too are now targeting NAS devices. Cybercriminals are employing a new strain of ransomware called Cr1pT0r to target NAS devices for their financial gain. The campaign was discovered in February after holders of D-Link DNS-320 reported that their device has been crypto locked.
What is Network Attached Storage and why is it targeted?
Network attached storage (NAS) is a devoted file storage that allows more than one user and heterogeneous client devices to recover data from centralized disk capacity. NAS devices are do not have a keyboard or display they are configured and managed with a browser-based utility. NAS devices are typically linked to servers running Linux operating system.
Due to vulnerabilities detected and old firmware in D-Link DNS 320 it is exploited by cybercriminals. The device was exposed to WAN through 8080 ports, FTP port 21 and a range of ports for port forwarding. Not only this in 2018, a hard-coded backdoor was also noticed in this router. This backdoor permitted hacker to gain unauthorized access for victim’s network.
Besides, this as firmware of certain NAS devices are not updated regularly, the weaknesses are not patched. Larger the number of unpatched devices more is the risk of being attacked.
An unpatched device is ripe target for attack
What is Cr1ptT0r?
Cr1ptT0r is an encryption Trojan ransomware that seems to target Network Assigned Storage (NAS) devices.
This ransomware is distributed via bargained router targeting NAS storage in the process. Once Cr1ptT0r has access to the victim’s machine, it uses a strong encryption to block all the file making them inaccessible.
The malware then saves two plain text files in victims machine, one is the ransom note called “_FILES_ENCRYPTED_README.txt,” that provides information about how victim can reach the ransomware operator to pay ransom, receive decryption key and know what is happening with the system.
Second file is named “_cr1ptt0r_support.txt” and it has the address of a website in the Tor network. If victims fail to understand what they should do they can use this support URL.
Due to its ability to infect embedded systems and the possibility to adapt its code to infect Windows machines Cr1ptT0r is a treacherous threat.
What all devices are targeted by Cr1ptT0r?
The new ransomware strain is targeting several types of D-Link devices that are connected to the Internet in a manner that is not secure and has known vulnerabilities or do not support the latest firmware or is security patched.
Do I need to pay ransom to get my data back?
As of writing, ransomware operator allows victim to unlock one file for free. After which victim who want to get the data need to pay ransom and provide Cr1ptT0r with the type and firmware version of the device. Once the ransom is paid victim receives a script to decrypt files.
Moreover, victim can get decryption from OpenBazaar marketplace, for BTC 0.30672022 (about $ 1,200). If target wants to unlock any specific file, then by paying $19.99 this can be done. In such a case the file needs to be sent to the operator.
Apart from this, Bleeping Computer noticed that the operators also offer decryption key for Synolocker ransomware that made headlines in 2014 for the same price.
Don’t even think for a second that you are secure. A flaw in your device or network security can make you a victim. Therefore, to stay protected from such unforeseen attacks always keep backup of your important data. Plus, run an updated anti malware on your system like Systweak’s Advanced System Protector.