D-Link Forums

D-Link Network Storage => DNS-320L => Topic started by: iker on February 24, 2019, 02:20:29 AM

Title: Ransomware Infects D-Link NAS Devices
Post by: iker on February 24, 2019, 02:20:29 AM
I found out yesterday that it looks like there is a ransomware acively attacking DNS-320 and DNS-320L/LW (maybe more models are affected) and encrypting all your files. There is not much info about it, but according to some affected users, they were in old firmware versions with the web interface and ftp exposed to the internet. They still dont know exactly how the ransomware attacked the NAS so this is only a theory and it could be a different atack. I hope that the vulnerability is solved in newer firmware versions, but anyway you should always avoid exposing the web interface to the internet in this and in any device.

https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/ (https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/)
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 24, 2019, 11:07:42 AM
What version of FW are you using?

The use user did mention "My Dlink NAS is a DNS-320LW (the White version of more widespread DNS-320L with full firmware compatibility), and I must confess that I had not updated the firmware so it should be a basical 1.01."

So at this stage anything was possible.

Since v1.11 is most currently we can only hope that users would and should be already on this version of FW and would help avoid this kind of compromise.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: arisermpo87 on February 25, 2019, 03:03:37 AM
Hey guys. My DNS-320 ver A2 was attacked.
I had it connected to Internet via port forward and DMZ which I guess was the problem. No I cut both port forward and DMZ. Is it safe to use it again?
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 25, 2019, 07:28:19 AM
Link>Welcome! (http://forums.dlink.com/index.php?topic=49573.0)


What Mfr and model is the main host router?

What version of FW are you using?
What do you mean by attacked?
How did you determine your DNS was attacked?

Using the DMZ is not recommended for NAS devices.

Hey guys. My DNS-320 ver A2 was attacked.
I had it connected to Internet via port forward and DMZ which I guess was the problem. No I cut both port forward and DMZ. Is it safe to use it again?
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: arisermpo87 on February 25, 2019, 07:58:15 AM
Hello!
So I have a DNS-320 v A2 used for local storage and file exchange for a small business. A few weeks ago, I wanted to have distant access to some files, so I used port forward and DMZ from my router to achieve this.
Today, most of my files appeared to be corrupted. I found two files that stated all corrupted files are now encrypted. With a little search online i came across to this article (https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/).
Thankfully I had a full backup and the damage was minimal. At the moment I wasn't using the latest FW on the NAS.

My router is a ZTE Speedport Entry 2i. I don't think that the DNS was attacked. All I think is that having enabled DMZ and Port Forwarding was a huge mistake, despite using a 10chars long password for NAS access (with upper and lower case letters, numbers and symbols).
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 25, 2019, 08:01:57 AM
Are ALL files on the DNS corrupted?

What version of FW are you using on the DNS?
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: GreenBay42 on February 25, 2019, 08:06:21 AM
This has been reported to the D-Link security team.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: arisermpo87 on February 25, 2019, 08:14:23 AM
Not all files were corrupted/encrypted. There was a file created "_Cr1ptt0r_logs.txt" with the following format:

encrypting using public key: 066d97d8756b5388ca7b74594a9563f04232b38361c20c0056a0ff9dc1a6f253
encrypted: /mnt/web_page/goweb.htm

and followed for all the files that appeared to be corrupted.
At that moment I had FW 2.03. Now I have FW2.05B10.

One weird thing that I saw was under Account management -> Users/Groups there was a user named "remote" assigned to groups "sudo" and "wheel". I never created such a user/groups.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 25, 2019, 08:23:28 AM
What region are you located?
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: arisermpo87 on February 25, 2019, 08:32:04 AM
Greece
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 25, 2019, 09:19:10 AM
Do you have any back up of the contents of the drives in the DNS?
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: arisermpo87 on February 25, 2019, 09:21:49 AM
Yes I had a full backup two days ago. Thankfully I had scheduled backup every two days.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 25, 2019, 09:30:22 AM
Where are you getting v2.XX FW from?
I'm only seeing v1.11 for A series models?
https://eu.dlink.com/gr/el/products/dns-320l-sharecenter-2-bay-cloud-storage-enclosure#support (https://eu.dlink.com/gr/el/products/dns-320l-sharecenter-2-bay-cloud-storage-enclosure#support)


I presume you may need to restore from back up these files...
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: arisermpo87 on February 25, 2019, 09:37:02 AM
Those FW are for the 320L model. I have the 320 model. I already restored my backup at a local drive.
My question is, is it safe to use the NAS (after formating the drive and disabling port forward?)

edit: Thanks for your help!
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 25, 2019, 09:59:04 AM
You should be ok.
You might file a support ticket or contact your regional D-Link support office about this and let them know what happened.

Just keep the DNS out of the DMZ.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: arisermpo87 on February 25, 2019, 10:03:57 AM
Ok! I'll do it! Thanks for all the help.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 25, 2019, 10:25:03 AM
Keep an eye on your system and back ups.

 ;)
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: iker on February 25, 2019, 12:45:49 PM
What version of FW are you using?

The use user did mention "My Dlink NAS is a DNS-320LW (the White version of more widespread DNS-320L with full firmware compatibility), and I must confess that I had not updated the firmware so it should be a basical 1.01."

So at this stage anything was possible.

Since v1.11 is most currently we can only hope that users would and should be already on this version of FW and would help avoid this kind of compromise.

I am already on the lastest version, I meant that I hope that the attack was on not updated versions so updated devices are safe.

For those with DMZ enabled you should disable it and only forward the ports you neet to be accesed from the internet (I only have opened the ports needed for transmission addon), with DMZ you are basically forwarding all the ports to your NAS and that is a very bad idea. And always have an offline backup of the important files.

Good luck to the affected
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 25, 2019, 01:13:24 PM
So far, seems to be either older FW versions or units placed in host routers DMZ. Which is not recommended.

Thanks for posting.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: sibigr on February 26, 2019, 02:51:45 AM
Hello. Same problem with 320L hit by cr1ptt0r, I have lost all my files, this is a disaster, I used the 320L at work. I contacted dlink greece and they didn't help, they don't know how. I didn't have the latest firmware but I have updated it 2-3 times since I bought the nas. I read at forums that many users with the 320/320L have been hit by this ransomware virus. I need the files desperately, years of work and memories have been locked. What can I do? Someone please help!
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 26, 2019, 06:56:47 AM
FYI:
Link>D-Link NAS Owner's :: Regarding CripTor Ransomware (https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10110)
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: Kiwacka47 on February 26, 2019, 07:44:09 AM
Its legit.  Happened to me.
12 years of photos now locked away along with more.

I can tell you I have not updated the FW in a long time so that sucks.
With this being so new, I'm just going to shelve the drives for now and wait for one day to get my photos and video's back.

Title: Re: Ransomware Infects D-Link NAS Devices
Post by: sibigr on February 26, 2019, 08:11:36 AM
FYI:
Link>D-Link NAS Owner's :: Regarding CripTor Ransomware (https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10110)

Great, their suggestion is to format the drives, are they serious?? What kind of support is that? This is totally unacceptable, I bought this dlink NAs so as to have my files safe and now this happened, dlink ruined me.

Now I have to pay a criminal 1200$  to take my files back with no guarantee at all, because of dlink. They should find a way to unlock our files, dlink is responsible for this, I trusted them for my files safety and I lost all my files!! Why do they sell NAS devices if they are not safe and they cannot offer support?
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 26, 2019, 10:41:58 AM
An alternative to keeping NAS on line LAN side:
"If users put their DNS on a static IP address, they can go into the router "Access Control" section and put the DNS IP on a blacklist, so it will be invisible to the Internet. That will block 100% of direct attacks, but doesn't help if an infected PC on a LAN hits the DNS."
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 26, 2019, 11:17:12 AM
Do a search with your favorite search engine and you might find fixes to this:
"Cr1ptT0r Ransomware"

Title: Re: Ransomware Infects D-Link NAS Devices
Post by: Kiwacka47 on February 26, 2019, 01:18:58 PM
After doing a search for Cr1ptT0r ransomware comes up with the same solution over and over but not of the software can scan the D-Link NAS.

Considering trying some date description software to see if it can recover the files from the NAS.

Anyone else have any luck so far?
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: JavaLawyer on February 26, 2019, 05:48:32 PM
Please see the following post for recommendations regarding the ransomware vulnerability: http://forums.dlink.com/index.php?topic=74600.msg301549#msg301549 (http://forums.dlink.com/index.php?topic=74600.msg301549#msg301549)
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: NBS on February 28, 2019, 06:13:30 AM
Our NAS also infected on 26.02. We upgraded the firmware and disconnected it from the internet, but the data still encrypted...
The company hold 3 days ago! How can we get our data back???
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: pecirepi on February 28, 2019, 12:53:53 PM
I have same situation, my dns-320 affected and all data encrypted on volume 1 (25.2.2019) and backup volume 2 backed up same day in midnight. My question is is there anyone who try to recover files, is it possible to use any of the tools to recover from backup volume. Since this volume is used only once a day during backup. MY DEVICE DNS-320 FIRMWARE 1.02. Latest for this hardware on d-link website.
Inside 2 hdd drives from WD WD30EZRX  3TB DRIVES.
Any help will be appreciated. This is binary files mostly, job of last 15 years destroyed.
Thank you.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on February 28, 2019, 02:18:32 PM
What region are you located?
Latest if v1.11: http://forums.dlink.com/index.php?topic=73863.0 (http://forums.dlink.com/index.php?topic=73863.0)

I have same situation, my dns-320 affected and all data encrypted on volume 1 (25.2.2019) and backup volume 2 backed up same day in midnight. My question is is there anyone who try to recover files, is it possible to use any of the tools to recover from backup volume. Since this volume is used only once a day during backup. MY DEVICE DNS-320 FIRMWARE 1.02. Latest for this hardware on d-link website.
Inside 2 hdd drives from WD WD30EZRX  3TB DRIVES.
Any help will be appreciated. This is binary files mostly, job of last 15 years destroyed.
Thank you.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: JavaLawyer on March 03, 2019, 08:29:16 AM
For those of you who are not yet infected, please read this post for precautionary measures: http://forums.dlink.com/index.php?topic=74600.0 (http://forums.dlink.com/index.php?topic=74600.0)
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: pecirepi on March 04, 2019, 06:36:02 AM
Bosnia and Herzegovina.
What region are you located?
Latest if v1.11: http://forums.dlink.com/index.php?topic=73863.0 (http://forums.dlink.com/index.php?topic=73863.0)

I have same situation, my dns-320 affected and all data encrypted on volume 1 (25.2.2019) and backup volume 2 backed up same day in midnight. My question is is there anyone who try to recover files, is it possible to use any of the tools to recover from backup volume. Since this volume is used only once a day during backup. MY DEVICE DNS-320 FIRMWARE 1.02. Latest for this hardware on d-link website.
Inside 2 hdd drives from WD WD30EZRX  3TB DRIVES.
Any help will be appreciated. This is binary files mostly, job of last 15 years destroyed.
Thank you.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on March 04, 2019, 06:51:04 AM
FW located here for your region:
https://eu.dlink.com/ba/hr/products/dns-320l-sharecenter-2-bay-cloud-storage-enclosure#support (https://eu.dlink.com/ba/hr/products/dns-320l-sharecenter-2-bay-cloud-storage-enclosure#support)

Bosnia and Herzegovina.
What region are you located?
Latest if v1.11: http://forums.dlink.com/index.php?topic=73863.0 (http://forums.dlink.com/index.php?topic=73863.0)

I have same situation, my dns-320 affected and all data encrypted on volume 1 (25.2.2019) and backup volume 2 backed up same day in midnight. My question is is there anyone who try to recover files, is it possible to use any of the tools to recover from backup volume. Since this volume is used only once a day during backup. MY DEVICE DNS-320 FIRMWARE 1.02. Latest for this hardware on d-link website.
Inside 2 hdd drives from WD WD30EZRX  3TB DRIVES.
Any help will be appreciated. This is binary files mostly, job of last 15 years destroyed.
Thank you.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: 1funryd on March 08, 2019, 06:37:57 AM
Another victim here.  Location in WA, USA.  According to the files modification my NAS was hit on 2-23-2019.
I did noticed on that day the the NAS was working really hard while I was watching TV, and I was not trying to access anything on it.
I got suspicious of it, and disconnected the NAS. 
Not thinking about it too much, I reconnected it and then access the files, and everything seemed fine until I days later when I decided to open up a file and got the message "This file is not supported."
I have been searching the net for solutions and to no avail.
All my data is on the NAS, and I always intended to back up my data to and external USB drive as well for my 3rd layer, I never got around to it.
So I am stuck, years of information and crucial data locked away.
After reading this thread, I noticed a member stated they logged in and looked at there user accounts an noticed different groups and users where created.
I just now realized I cannot even login with my admin or own user account because it does not recognize me or my credentials.
This is embarrassing and stupid on my part.  But the biggest take away is that I have lost everything from precious photos, to custom files I had created for my small business.
I have my NAS on my home network hooked up to the main router.
I should have used multiple networks to try to at least hide the NAS, but never thought I would have this issue.
If anyone has any advise for trying to recover the data I would appreciate it.
I might still have a IDE back drive where all the older files were from but its a 50/50 chance that drive is still viable.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: Picchio on March 09, 2019, 02:37:57 AM
same to me from Italy
entire NAS is compomised, files are date Feb 23
firmware very old and I can't upgrade it , it always fails... do not know why... tried several releases with several browsers also with cascade unzipping...
about the problem, some people saying a brute-force could help but I suspect it would keep so many time to find it...
is it possible to start the NAS in a safe mode and manually remove the ARM file ?
I also find the following https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html
seems some people identified the crypto library used by those criminals... hoping they will find some more info to help finding a decypher method.
G
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: ivan on March 10, 2019, 10:18:23 AM
The only safe way to have any NAS box accessible from the internet is to have a dedicated firewall between the modem and router/switch.  When the company I setup were doing nightly NAS backups for our clients I insisted that they used a VPN equipped firewall to protect their Lan and the VPN was the only connection we had with them.  In 8 years non of their networks were compromised.  OK it is not cheap and requires careful setup (600 to 800 euro plus a fee for the yearly updates) but now there are cheaper units available from manufacturers like TP-Link (example: TL-R600VPN) but they require good password discipline on the Admin account as well as a reasonable knowledge of what whoever doing the setup is doing. 
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: FurryNutz on March 10, 2019, 10:35:45 AM
Also users need GOOD discipline to manage and configure there NAS to begin with. Letting NAS go un-updated is probably not wise in the first place. Putting ones NAS into the DMZ is completely not wise at all.

Though, I left my NAS using older FW, it's been updated and have never had any compromise with it. I have never used the DMZ for NAS period. I'm now using the Block feature of the main host router to help avoid issues, though possible compromise could come in from a PC on the same network.

Firewalls would be a great suggestion for those with lots of data, lots of NAS devices and historical, crucial or high priority data.

I found a firewall appliance device in my stache, however it's last FW is dated 2012 and nothing since then so I presume this device would not be idea long term.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: Kywalh on March 12, 2019, 11:44:30 AM
Same problem in France...
All my data are encrypted.
I opened a ticket but no information yet...
Has anyone paid or at least entered in contact with these hackers ?
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: Kywalh on March 12, 2019, 11:47:15 AM
BTW, a friend of mine has the same NAS and same situation, all files encrypted !!! 😠😠😠
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: marcgv on March 23, 2019, 08:59:38 AM
My firmware is 1.09 and Im not infected.

Try this: https://www.youtube.com/watch?v=nIWdZ0qDD54

remove the drive, put on a pc and use the software to try read the files.
Title: Re: Ransomware Infects D-Link NAS Devices
Post by: ivan on March 26, 2019, 06:50:23 AM
That video assumes that the files are not encrypted.  In the cases we are looking at in this thread the files have been encrypted which, unless you have the required key makes them useless even though you can copy them from the NAS you still can't open them.