Cr1ptT0r Ransomware (_FILES_ENCRYPTED_README.txt) Support Topic

@Demonslay335

 

Attached you find a set of files as samples. Sorry I found no Office or exe to be both in my backups and in the encrypted drive.

 

Second trial, files were too big.

So 1/2 : Encrypted and 2/2 : Safe but I had to remove 2 files due to space limitations.

 

Sorry.

@Manikem

 

Your first file is not encrypted, it's just an earlier version of the other file per the Last Modified property (2017 vs 2019).

 

 

Also, I just realized the public key in the log is also embedded at the end of the encrypted files (just before the filemarker).

 

@Demonslay335

 

sorry for the mistake, I forgot that I restore this particular file.

 

2 new files attached

 

 

Thank you

 

 

Hi,

 

@RESolver

 

My Dlink NAS is a DNS-320LW (the White version of more widespread DNS-320L with full firmware compatibility), and I must confess that I had not updated the firmware so it should be a basical 1.01.

( Ironically I identified the need to updta just a few days before the attack, and downloaded the latest firmware but too late. I found more FW versions ere : https://support.dlink.com/ProductInfo.aspx?m=DNS-320L )

 

My NAS was exposed to WAN only through ports 8080 http, and ftp port 21 + range, with port forwarding.

 

I feel like the firmware has been modified because in addition of the .txt files that we all found on the root directory, I have a new "Application" with a bright red icon that appeared in the user interface. Or the malware was in the firmware from the beginning, designed to start on feb 16th, 2019 ?

(Seems strange that the malware opened up simulatneously, as we are now a few victims but no previous reference on the whole internet before my creation of this topic.)

 

Hope this info help, if you need more, ask for precisions !

Thank you for the infos, your informations makes the RCE hypotesis stronger.
If you have a way, try to dump the entire system, by ssh? telnet? whatever, or try with serial interface (some info https://groups.google.com/forum/#!topic/alt-f/FmpgPNfIwNs )

Has been a while since I play with embedded devices, but i guess, and i'm pretty sure that such device bootloader is based on uboot, so that means there is a way to dump the partitions from there (typically by tftp).

If you have the right skills, a full dump would be very appreciated!Alternatively, as i said before, a dump file by file by ssh or telnet can be enough

 

@Desdra

 

Here is what the user interface looks like. The red dot with README is the new thing.

 

 

ShareCenter <1.06 can be vulnerable check it out here: https://www.exploit-db.com/exploits/43434

Edited by RESolver, 21 February 2019 - 03:23 PM.

@RESolver

 

Probably misundertand my firmware version, incredible !!!!

 

Thank you

@RESolver

 

Probably misundertand my firmware version, incredible !!!!

 

Thank you

aligned with the theory, version can be read as:

2.00.MMDD.YYYY---> from your picture: Version 2.00, it match with 17/12/2010

http://roberto.greyhats.it/advisories/20120208-dlink-rce.txt

[AFFECTED PRODUCTS]
We confirm the presence of the security vulnerabilities on the following
products/firmware versions:

   * DNS-320, firmware version 2.00.1217.2010

[REMEDIATION]
We are not aware of an updated firmware that corrects the issue described in
this advisory.

[DISCLOSURE TIME-LINE]
* 22/12/2011 - Initial vendor contact.

* 27/12/2011 - Vendor replied.

* 28/12/2011 - Emaze asks for a technical contact to discuss the details of
         the vulnerability. Publication date set to January 18th,
         2012.

* 02/01/2012 - No response from the vendor. The author re-sent the last
         e-mail.

* 17/01/2012 - Still no reply from the vendor. The author re-sent the
e-mail, again.

* 31/01/2012 - Sent another e-mail to vendor, to inform about the intention
         to publicly disclose the vulnerability within February, 3rd.

* 08/02/2012 - Still no reply. Disclosure.

​

Hi,

 

I just look at my interface. And nothing about a red icone. (But in fact, i doesn't remember at all about "amazon" one too....

 

@Desdra

 

Here is what the user interface looks like. The red dot with README is the new thing.

 

 

 

@Demonslay335

 

2  files to compare in attachment (xls and pdf)

 

 

Dear,

 

I am in the same situation... and I have the same NAS...

 

I shutdown my NAS before complete encryption of all my files... and I dont have the file _cr1ptt0r_support.txt.

Edited by uffiuffi, 22 February 2019 - 03:46 AM.

Dlink just answered to my message.
It seems they don't want to recognize the problem.
For them, we introduced corrupt files that compromised their product. It's not a problem with their NAS.

An extract from their mail (sorry in French) :
Il est certain que des fichiers infectés sont entrés dans le système, entraînant léchec complet du produit.
Nous vous informons que D-Link ne prend pas en charge les disques durs introduits dans les périphériques et que nous ne disposons d'aucun enregistrement indiquant qu'il s'agit d'un problème de NAS. Ce type de fichiers arrive toujours de l'extérieur et au moment où ils sont stockés dans le périphérique, le NAS ou le même disque dur de l'ordinateur, provoquent le même résultat.

@Desdra 

 

Hello,

 

pitiful

what about the log fils that shows the files are mounted remotely ?

whet about the security advisories they ignored ?

Totally pitty! I'm so angry... Maybe you can try to contact them too? Maybe you'll be luckier than me...

I did not expect much more from them anyway....