• March 28, 2024, 09:28:51 AM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: 1 [2]

Author Topic: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix  (Read 21692 times)

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #15 on: December 18, 2019, 01:19:02 PM »

I would remove the DNS from ANY internet or WAN side access.

I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this.
Link> Tech Support Contact Information
We find that phone contact has better immediate results over using email.
Let us know how it goes please.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

GreenBay42

  • Administrator
  • Level 11 Member
  • *
  • Posts: 2752
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #16 on: December 18, 2019, 01:45:24 PM »

Ransomware can sit on your drive(s) and not infect your data, even after firmware updates. It can launch whenever the hacker wants it to. The firmware is to prevent it getting on your drives, but if it was already on your drives before the firmware update there is nothing you can do unfortunately.

You will need to reformat the hard drives if you cannot restore any of your files.
Logged

Carloroma63

  • Level 1 Member
  • *
  • Posts: 15
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #17 on: December 19, 2019, 06:35:58 AM »


@FurryNutz: Pls note this:

from https://www.dlink.com/en/security-bulletin/nas-ransomware

Model   H/W Version   Latest F/W Version   Actions to take
DNS-320   Ax   2.06   Disable the Internet connection to NAS

In this page, dated 11/11/19, dlink declare that FW 2.06 is not secured against this vulnerability.
If dlink sent email to all his client instead publish a brief page on its site, my data won't be destroied..... I'm really unhqppy for this.

I'l try to call local support...

p.s. virus directory has 13/12/2019 as date creation, attach was 4 days later.

@GreenBay42: virus is on the disk and NAS load and execute it at boot. I've seen virus log increase under my eyes after reboot... :( :( :(

Carlo

p.s. now I wil buy a new DNS, but SURE not a Dlink....
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #18 on: December 19, 2019, 10:48:14 AM »

This was posted back in February or was made known by then:
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10110

irmware updates are often directed to addressing security vulnerabilities in the devices that may be exploited by Internet attacks such as a ransomware attack.  However, once the device is infected by the virus, firmware updates will not restore your data. Antivirus companies have created new tools to address past ransomware attacks and may develop decrypting tools to address the Cr1ptT0r Ransomware in the future. Until that time, to better protect your devices from Internet viruses, malware and ransomware:
 
1.    Do not connect these devices directly to the Internet and/or port-forward services directly from the Internet.
2.    Keep device firmware up-to-date.
3.    Any computer accessing information on these devices should have appropriate antivirus protection and malware protection enabled.
4.    Regular back-ups of stored information on these devices should occur in case a disaster recovery is needed.

And FYI, D-Link doesn't produce NAS anymore. So good luck on your next NAS. Be sure it's safe as well.


Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

richgordon

  • Level 1 Member
  • *
  • Posts: 3
Cr1pT0r ransomware vuln *NOT* fixed!!
« Reply #19 on: January 03, 2020, 06:17:09 AM »

Jumping in to unfortunately confirm that I have also just fallen victim to Cr1pT0r ransomware attack on my DNS 320. I had updated to 2.06 roughly three months ago. I had DNS setup for remote access using FTPS and STRONG passwords.

I will note that while the log shows many files are encrypted, I'm still able to stream video library without issue, sadly however I'm not able to do the same for my MP3 library. It seems that some files are too large to be encrypted this way.

I hope someone from D-Link will contact me about this but I'm not holding my breath.

Falling victim to a well known vulnerability *after* said vuln was expressly advised by D-Link as *fixed* according to this forum post is simply unacceptable in today's world. I will use my wallet to express this sentiment when I purchase my next upgrade as I'm sure you will too.
« Last Edit: January 03, 2020, 10:19:14 AM by richgordon »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #20 on: January 03, 2020, 02:50:54 PM »

I'll have D-Link review this.

It's recommended for user to NOT allow any form of external or remote connections to any NAS on there network.

Users are encouraged to have backups of there files that are important to them.

And FYI, D-Link doesn't produce NAS anymore. So good luck on your next NAS. Be sure it's safe as well.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

richgordon

  • Level 1 Member
  • *
  • Posts: 3
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #21 on: January 04, 2020, 05:44:10 AM »

I'll have D-Link review this.

A reputable company would have been proactive on such an important issue. Not D-Link though, clearly.

It's recommended for user to NOT allow any form of external or remote connections to any NAS on there network.

Yes, of course I know that *now*, just saying it would have been nice to see a stickied post in all caps warning of the same thing.

Users are encouraged to have backups of there files that are important to them.

Well this goes without saying. Can't have too many back ups - but this doesn't excuse D-Link's failures on their part.

And FYI, D-Link doesn't produce NAS anymore. So good luck on your next NAS. Be sure it's safe as well.

Yes, I was aware already. My next NAS, in  fact my next *anything*, will NOT be a D-Link, that is for sure.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: DNS-320 Rev Ax/Bx - Cr1pT0r ransomware firmware fix
« Reply #22 on: January 04, 2020, 12:25:53 PM »

These was posted back in Feb of 2019, almost a year ago.
http://forums.dlink.com/index.php?topic=74596.0.
http://forums.dlink.com/index.php?topic=74600.0

I should have posted this in all locations in forums and apologize for that. However, I was one of the first to make D-Link aware of it back then and they did take action so I would not say that D-Link hasn't been proactive on this. I would also think that it would be hard to test the fix as well with out actually knowing someone with the nefarious code to attack a test unit to see if D-Links fixed actually worked. A wise user would probably not have there NAS on the internet with high priority or sensitive data for external users to try and attack anyways.

I just bought my last DNS-345. Love this model. Wish D-Link hadn't stopped making them.

At any rate, D-Link is looking into this. For now, keep your NAS OFF the internet and BLOCK ALL connections to your NAS from the WAN side!!!

 
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.
Pages: 1 [2]