• December 08, 2021, 05:16:24 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: DNS-325 Sharecenter - Cr1pT0r Ransomware - Negotiation & Recovery  (Read 3524 times)

GotDNSlazy

  • Level 1 Member
  • *
  • Posts: 5

My NAS drive was recently infected by the Sharecenter - Cr1pT0r Ransomware.  The following is a chronological order of events, strategy implemented for recovery and possible negotiation.

0 Day -
- discovered a file called _FILES_ENCRYPTRD_README.txt that had been repeated into several folders
- sandboxed a machine and accessed NAS
- the user i logged in with had the admin privileges stripped
logged in as the root admin
- attempted to open several files and could not
- attempted to delete several "remote" users that had been setup and they continued to replicate. 
- Had a raid drive in the box so I removed it in case my tampering caused the main drive to format
- Started pulling older backup drives and dvds to see if I could get away with formatting and moving on.

1 Day -
- I initiated an account qtox and put in the contact code --
PHILOSOPHY - Be Patient, Portray inability to pay

I started off with "I would like to get a couple of my files back"
after almost 24 hours without hearing anything, I posted the following
[16:06:33] lockedout: well... I'm about ready to scrub everything and move on...  too bad you froze files from a business i closed 3 years ago.
[20:46:42] Cr1ptT0r: Thank you for contacting us.
You can decrypt 2 files for free by sending via this chat software.
Private key for automated decryption of all files via the software is $1200 USD.
Only Bitcoin is accepted for payment.
Bitcoin can be bought here https://www.binance.com/en/buy-sell-crypto, https://www.coinbase.com/, https://localbitcoins.com/, https://paxful.com/ or other options can be found via Google.
Kind regards.
[22:35:38] lockedout: i send you 2 files, you decrypt for free....  Do I attach them in this chat using the paper clip? 
[22:57:03] lockedout: Will this take long? I have to pull a double shift and have to leave soon.
[23:29:10] lockedout: hello?
[23:29:53] Cr1ptT0r: One moment
[23:30:21] Cr1ptT0r: Your case ID is dc89a1a6e552ef5542a444a514e67045f4640f7be261ed8067b3614ac5a2c82b

I then sent him my 2 most important files thru qtox and he quickly sent back decrypted.
From this point on I had all I needed and was willing to lose the rest of the files, but I wanted to see what I could negotiate.

[23:35:52] lockedout: trying to open to verify the files decrypted
[23:57:33] lockedout: 2nd file cant find download?
[00:04:18] lockedout: ok.  they opened. but no way am i gonna pay 1200 when i only need about 20 of the files.  what can we work out?
[00:04:50] Cr1ptT0r: How much can you pay?
[00:05:39] lockedout: I'll pay you $5 per file...
[00:05:57] Cr1ptT0r: For $200, I will give you the key for all files.
[00:07:31] lockedout: hmmm... hold on. I need to call into work and let them know I'm running late - can we work together to complete in the next hour?
[00:07:45] Cr1ptT0r: yes
[00:08:06] Cr1ptT0r: Or you can go work and we complete this later.
[00:08:19] Cr1ptT0r: Sometime there is a delay to make the payment.
[00:08:22] lockedout: im already late
[00:09:13] lockedout: what do you mean, delay?
[00:09:48] Cr1ptT0r: You need to open an account and they might do a id check before you can withraw the funds.
[00:11:01] lockedout: im registering now
[00:32:22] lockedout: ya, could take up to 24 hours to verify my identidy...  so how do get my files back... they were all in my recycle bin
[00:33:06] lockedout: if its too complicated, then i dont know
[00:33:20] Cr1ptT0r: Once the payment is received you will get a text file with the key. Once the key is copied on the NAS
 
[00:33:45] Cr1ptT0r: it will decrypt all the files after reboot.
[00:34:50] lockedout: not sure i can put files on it. it said I didnt have access
[00:35:25] lockedout: i can read it, but not anything else
[00:35:27] Cr1ptT0r: You can put them in an archive and host them on filebin.net and I will decrypt them.
[00:36:04] Cr1ptT0r: Unless you know how to use linux then I can give you the decryption software.
[00:37:48] lockedout: uhhh... way over my head with all  that... how bout I send you the files I need and you do them just like the last 2?
[00:38:23] Cr1ptT0r: If you put them in an archive and host them online we will probably save time.
[00:38:35] Cr1ptT0r: But you can send them one by one if you prefer.
[00:39:00] lockedout: its 750 gig of files bro to try and archive... I'm no genius
[00:39:04] lockedout: I might have a friend that can help
[00:40:27] Cr1ptT0r: For 750 gig you need to use the NAS or if your friend can help you then you can decrypt them by accessing the files via a system running linux (it can run from a usb thumb drive or a virtual machine).
[00:42:23] lockedout: i found the admin access
[00:42:53] Cr1ptT0r: If the device is running then I can probably install the key and reboot the device for you.
[00:45:14] Cr1ptT0r: According to my logs it will take about 101 hours to decrypt all files.
[00:45:35] Cr1ptT0r: But I can't access it right now.
[00:46:39] Cr1ptT0r: However you only need to save the text file on the root folder and reboot the device.
[00:46:57] lockedout: i intiated a buy ... i can do $150.00 not sure when it will complete.  once it does, how do I pay you?
[00:48:21] Cr1ptT0r: Once you are ready please send your payment to this bitcoin address: 19znRShejmJLTktZ7F7FAekCgJYRkeds8

I created an account with localbitcoin and purchased $158.88 in coin.

2 DAY-
[10:38:12] lockedout: found someone to buy from.  waiting for escrow release then i will send $150 us bitcoin to
[10:40:11] lockedout: ok...  i have bitcoin in my wallet. 
[10:41:11] lockedout: you there?
[10:43:27] lockedout: i bought all i could with whats in my account... 158.88 us in bitcoin - put all the bitcoin in the field to send, and it says the amount is $130.93 ... its all i got.  good with that?
[10:46:13] lockedout: ive got about 10 minutes before my break is over and gotta go back...
[10:46:16] lockedout: hello?
[10:52:17] lockedout: hello?
[12:49:53] lockedout: checking in again...
[12:55:15] lockedout: im on my lunch break... can we finalize this thing?
[12:56:39] Cr1ptT0r: Im here.
[12:57:22] lockedout: saw my note about how much it will transfer after fee?  $130.93... deal?
[12:57:53] Cr1ptT0r: ok
[12:58:22] lockedout: ok logging into localbitcoin now
[12:58:39] Cr1ptT0r: I will send you the instruction while I wait for payment.
[12:58:49] lockedout: ok
[12:58:49] Cr1ptT0r: 1. Save this key on the first folder of your device (Volume_1) and delete _cr1ptt0r_logs.txt
2. Reboot the device
3. After reboot you can see the progress in _cr1ptt0r_logs.txt and when all files will be decrypted the last line will say "done".

[12:59:57] lockedout: what do i put in as the description?
[13:00:10] Cr1ptT0r: Not needed.
[13:00:14] lockedout: ok
[13:03:03] lockedout: done
[13:03:35] Cr1ptT0r: It will take 1-2 minutes.
[13:04:48] Cr1ptT0r: Let me know if you need help. You can contact me again also when the process is completed if you need help to cleanup the device.

I followed his instructions and loaded the file he sent for the decryption key.  It took 4 days to decrypt

I then contacted him again
[23:36:42] lockedout: how does the software get uninstalled when complete?
[23:38:09] Cr1ptT0r: I can give you a script that is run on the NAS or you need to format the hard drive.
[23:39:19] Cr1ptT0r: This is the script. You need to replace the existing fun_plug and reboot. It takes about 30sec then the device reboot again. To check that it is uninstalled you can delete _cr1ptt0r_logs.txt and reboot and the file should not be recreated.
[23:57:06] lockedout: thanks man
[23:58:07] Cr1ptT0r: You should also remove any port forward rule to the device and upgrade the firmware if available.

I then loaded his script, and followed his instructions.

Once done, I deleted the files and logs associated with the ransomware, installed the most updated firmware I could find, re-ran the setup software from an external source, and scanned the entire drive with updated virus scan by avast.

All clear, all files intact, out of pocket expense $158.88

I have BOTH the decryption key AND the fun pack file for removal
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49868
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DNS-325 Sharecenter - Cr1pT0r Ransomware - Negotiation & Recovery
« Reply #1 on: April 27, 2020, 01:42:56 PM »

I would highly recommend blocking any incoming internet access to your NAS.
http://forums.dlink.com/index.php?topic=75285.0
Do not put the NAS in any kind of DMZ.
Be sure you have a current back up on a HDD someplace of your most importance files or a entire back up. The only good back up is redundant back up.
This would help stave off and negate any kind of nefarious malware on your NAS and save you the $158 bucks let alone they wanted $1200 for there decrypt.
Never give these people any money or reason to keep doing this. There "stealing" your money and time from you that you can't get back.  >:(

Glad you got your files back.  ::)
« Last Edit: April 27, 2020, 01:55:24 PM by FurryNutz »
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

GreenBay42

  • Administrator
  • Level 11 Member
  • *
  • Posts: 2696
Re: DNS-325 Sharecenter - Cr1pT0r Ransomware - Negotiation & Recovery
« Reply #2 on: April 27, 2020, 01:54:00 PM »

Thanks for posting your experience. Glad you recovered your data without losing too much (compared to thousands of dollars people have paid). Unfortunately this sort of crap will never end and as long as anything is on the internet it is not safe.
Logged

phil1982

  • Level 1 Member
  • *
  • Posts: 13
Re: DNS-325 Sharecenter - Cr1pT0r Ransomware - Negotiation & Recovery
« Reply #3 on: September 22, 2021, 07:09:48 AM »

I've tried to contact them but not had any reply - been a few weeks now.
Logged

GotDNSlazy

  • Level 1 Member
  • *
  • Posts: 5
Re: DNS-325 Sharecenter - Cr1pT0r Ransomware - Negotiation & Recovery
« Reply #4 on: September 22, 2021, 08:07:16 AM »

I've tried to contact them but not had any reply - been a few weeks now.

Keep messaging… might even say, “I guess you wasted time encrypting the files of you don’t even want to talk about $”

Remember, they are looking for a payoff. Believe it or not they want to have a “good reputation” for working with you.

It’s a negotiation…
Logged

phil1982

  • Level 1 Member
  • *
  • Posts: 13
Re: DNS-325 Sharecenter - Cr1pT0r Ransomware - Negotiation & Recovery
« Reply #5 on: September 28, 2021, 12:20:59 AM »

still nothing - not sure that Bitmessage even sent the message to be honest.  I'm not an expert on these bits of software.  Which did you use?
Logged

GotDNSlazy

  • Level 1 Member
  • *
  • Posts: 5
Re: DNS-325 Sharecenter - Cr1pT0r Ransomware - Negotiation & Recovery
« Reply #6 on: September 28, 2021, 05:19:08 AM »

Wish I could remember, it took a couple of days. It was something like bitmessage. If you haven’t already, let them know you have a limited time to offer them $, before you run out of funds.
Logged