• March 28, 2024, 04:13:38 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: [1] 2

Author Topic: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix  (Read 21685 times)

GreenBay42

  • Administrator
  • Level 11 Member
  • *
  • Posts: 2752
DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« on: April 11, 2019, 12:46:21 PM »

Firmware has been released. This or any firmware will NOT recover encrypted files

Rev A1 / A2 - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip


Rev B1 / B2 - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVB/DNS-320_REVB_FIRMWARE_v1.03B01.zip


It's recommended for user to NOT allow any form of external or remote connections to any NAS on there network.

Users are encouraged to have backups of there files that are important to them.

« Last Edit: January 03, 2020, 02:51:39 PM by FurryNutz »
Logged

Carloroma63

  • Level 1 Member
  • *
  • Posts: 15
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #1 on: May 12, 2019, 05:50:29 AM »

Thanks,
installed without problem, I'd like to known if this release include only Cr1pT0r fix or also other feature and/or bug fixes?
Thanks

Carlo
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #2 on: May 13, 2019, 06:32:47 AM »

The release notes only mention 1. Fixed Cr1ptT0r ransomware security issue - login_mgr.cgi allows attackers pipe commands to the user.log
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

j-marcelo

  • Level 1 Member
  • *
  • Posts: 19
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #3 on: May 24, 2019, 05:11:35 AM »

Hello!
I upgraded my DNS 320 A1 from version 2.00 to 2.06B01.
So far so good!
Thanks!
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #4 on: May 24, 2019, 06:27:44 AM »

Enjoy.  ;)
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

yanjian

  • Level 1 Member
  • *
  • Posts: 3
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #5 on: July 24, 2019, 12:27:09 PM »

I finally tried upgrading my DNS-320 A1 from version 2.00 to 2.06B01 but unfortunately, even though the upgrade process appeared to be successful, the NAS was no longer accessible after it rebooted.  Here are the symptoms:

- Web UI admin console no longer accessible
- The NAS never seems to reboot successfully - the power LED stays flashing blue the whole time and no longer changes to solid blue
- The NAS is no longer accessible from Windows Explorer via "\\192.168.1.x"
- The NAS still responds to ping, although it does seem to take a much longer time for it to respond

I'm afraid that I've bricked it :(  Did anyone run into similar issues?  Any help is much appreciated!
« Last Edit: July 24, 2019, 12:28:51 PM by yanjian »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #6 on: July 24, 2019, 12:43:05 PM »

Be sure your accessing the correct IP address for the DNS as it may have changed.

Have you factory reset the DNS and then tryto connect to it's web page with a web browser?



I finally tried upgrading my DNS-320 A1 from version 2.00 to 2.06B01 but unfortunately, even though the upgrade process appeared to be successful, the NAS was no longer accessible after it rebooted.  Here are the symptoms:

- Web UI admin console no longer accessible
- The NAS never seems to reboot successfully - the power LED stays flashing blue the whole time and no longer changes to solid blue
- The NAS is no longer accessible from Windows Explorer via "\\192.168.1.x"
- The NAS still responds to ping, although it does seem to take a much longer time for it to respond

I'm afraid that I've bricked it :(  Did anyone run into similar issues?  Any help is much appreciated!
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

yanjian

  • Level 1 Member
  • *
  • Posts: 3
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #7 on: July 25, 2019, 10:20:23 AM »

Yes, I confirmed that the IP address didn't change.  I tried doing a factory reset but that didn't seem to do anything.  In fact, the NAS wouldn't even shut down when I tried holding down the power button for a few seconds while the power LED was still flashing blue - I had to unplug the power to shut it down.  The power LED would never turned solid blue after bootup like it used to do - it almost seems like it's stuck on something at bootup, of course I have absolutely no idea what it's getting stuck on :(
I even tried pulling out the hard drives and boot it up without the drives in - still the same behavior and the web interface is not accessible :(
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #8 on: July 26, 2019, 06:17:34 AM »

Try a factory reset with out the drives installed. Hold the reset button for 10 seconds then let go...

Yes, I confirmed that the IP address didn't change.  I tried doing a factory reset but that didn't seem to do anything.  In fact, the NAS wouldn't even shut down when I tried holding down the power button for a few seconds while the power LED was still flashing blue - I had to unplug the power to shut it down.  The power LED would never turned solid blue after bootup like it used to do - it almost seems like it's stuck on something at bootup, of course I have absolutely no idea what it's getting stuck on :(
I even tried pulling out the hard drives and boot it up without the drives in - still the same behavior and the web interface is not accessible :(
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

yanjian

  • Level 1 Member
  • *
  • Posts: 3
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #9 on: July 26, 2019, 09:30:05 PM »

Thanks for the suggestion - doing factory reset without the drives did work to a point that the NAS is now able to boot up to solid blue power LED after ~1 min without the drives (and the web interface accessible).  However, once I tried putting the drives back in and power it up, it's the same issue again - I cannot run the setup wizard to reconfigure the NAS because it's still stuck on the flashing blue power LED light (with the drives in it) and the admin console is apparently inaccessible when the NAS is in that state  :(

I believe the drives are good though, as I was able to read it via a Linux reading utility and read the data out from the drives (I had RAID 1 set up before).  I'm wondering if I should reformat both drives and try again, although reloading the data would be a very time consuming process.
Logged

brainwaster

  • Level 1 Member
  • *
  • Posts: 7
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #10 on: September 26, 2019, 10:21:31 AM »

Hi

Does this work on the DNS-320LW ? I see that on the DLink site that the L has newer firmware than the LW. I always thought the L and LW were the same nas but the LW was white and not black

Cheers

Jason
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #11 on: October 28, 2019, 11:09:38 AM »

This is only for the DNS-320. L is a Cloud based DNS model.
W=White case version

Hi

Does this work on the DNS-320LW ? I see that on the DLink site that the L has newer firmware than the LW. I always thought the L and LW were the same nas but the LW was white and not black

Cheers

Jason
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

Carloroma63

  • Level 1 Member
  • *
  • Posts: 15
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix - FIX DO NOT VALID!!!
« Reply #12 on: December 17, 2019, 02:39:33 PM »

Firmware has been released. This or any firmware will NOT recover encrypted files

Rev A1 / A2 - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip


Rev B1 / B2 - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVB/DNS-320_REVB_FIRMWARE_v1.03B01.zip

WARNING!!!!!! These fixes DO NOT COVER the bug!  Today I was attached from Cr1pT0r ransomware and a lot of my files went distrupted, until I powered off the NAS!!! My 320 has v2.06 firmware!!

The big problem is that the ransomware is in active in the operating system, loaded form disk! Now my Nas is stand alone and criptography starts again as I power on the NAS. If I remove disks form it and install a new disk, virus do not start again, if I put back infected disk in the nas, virus start again.

How can I stop infection and save my files?

Thanks

carlo
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #13 on: December 17, 2019, 03:41:33 PM »

When was this version of FW applied to your DNS? When it was first released?

How is your DNS connected to the router? Do you have your DNS setup for remote access by chance?

Wondering if your unit had been infected prior to you loading v2.06...No body else has reported being infected after this fix was applied.

The FW is supposed to prevent any more infections. Don't know if how to decrypt the files. Do you have a backup of your DNS else where or is this the only copy you have is on this infected drive?

Did you factory reset the DNS and setup again after v2.06 was applied?

Firmware has been released. This or any firmware will NOT recover encrypted files

Rev A1 / A2 - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip


Rev B1 / B2 - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVB/DNS-320_REVB_FIRMWARE_v1.03B01.zip

WARNING!!!!!! These fixes DO NOT COVER the bug!  Today I was attached from Cr1pT0r ransomware and a lot of my files went distrupted, until I powered off the NAS!!! My 320 has v2.06 firmware!!

The big problem is that the ransomware is in active in the operating system, loaded form disk! Now my Nas is stand alone and criptography starts again as I power on the NAS. If I remove disks form it and install a new disk, virus do not start again, if I put back infected disk in the nas, virus start again.

How can I stop infection and save my files?

Thanks

carlo
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

Carloroma63

  • Level 1 Member
  • *
  • Posts: 15
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #14 on: December 18, 2019, 12:53:26 PM »

Hi,
I've installed 2.06 version on 12 May, see my post in this discussion, when noticed on this forum, so I was confident to be protected against this ransomeware, and I never made a factory reset. In August I formatted volumes because some "disk full" and "power loss" events damaged the file system structure.

My DNS was exposed on Internet since some year and I've DynDNS service configured. Infection starts yasterday.

I've mounted one of two NAS disks on Windows (using an externa USB docking box and  R-Studio utility) and I can see al files on it. In root, there is a directory called NAS_Prog, with two dirs inside: _install and cr1ptt0r. Install is empty, cr1ptt0r contains virus code (a lot of files .sh and some other directories.

Since I've shutdown NAS as I saw the infection, on disk there are still a lot of file not encripted but I cannot access them because R-Studio (in demo mode) don't allow me to save files on windows disk. I cannot also delete files on volume (R-Studio do not ever allow to delete files, nor in the registered version), so I don't known how to remove virus form system.

I there a way to boot NAS without load virus, to access files without buy a R-Studio licence, or you known another free utility to access files directly in Windows? My configuration is two 3TB disks in Raid1 with two volumes (JODB).


Thanks

Carlo Spigoli
Logged
Pages: [1] 2