D-Link NAS infected by Cr1pt0r ransomware

Recommended Posts

I have a D-Link NAS networked storage device that I stupidly put in the DMZ of my router so that I could access my files from anywhere using the password-protected web interface. It seems that there was some vulnerability in the software. Many of us with the same device have been compromised by the Cr1pt0r ransomware. It encrypted every single file individually. It didn't change the file extensions, but encrypted the files and appended some signature data at the end of each file. They want Bitcoin to (supposedly) decrypt. Is there any possibility of decrypting this without paying the ransom?

I have included the ransom instructions and an encrypted file. Unfortunately, since I grabbed a few things quickly and shut it down, I didn't think to grab a file for which I would have an un-encrypted reference. And I'm too worried to turn it back on in case it didn't finish and will continue encrypting my files once power is enabled.


Lots of info here:


Below I have (hopefully) included the ransom note and an example encrypted file.

Steam Mop.xlsx


Edited by kiloman
Adding attachments

Share this post

Link to post
Share on other sites

An earlier description of this Ransomware is available in this article.
There in the title there is a link to the translation of the article into English.

We collected victims in this topic of support around the world

Freelancers tried to find a solution and even decrypt files.

You can compare your case with a lot of others, but so far there is no 100% solution to the problem.

Share this post

Link to post
Share on other sites

First and foremost, if you power on the NAS and allow it to boot up, the ransomware will continue encrypting files. It also opens up a backdoor in the NAS.

To remove the ransomware, you will more than likely need to do a full wipe of the device and install the latest firmware. If you can remove the drives and copy the data from them, then I recommend doing so before doing anything else.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.