Cr1ptT0r Ransomware Attacks D-Link NAS (Network-Attached Storage) Devices
Members of the BleepingComputer forums began reporting on February 19, 2019 that their D-Link DNS-320 network-attached storage devices were being attacked by the Cr1pT0r Ransomware virus. The attack encrypts the files stored on the NAS device and then demands payment to decrypt the files.
Those hit with the infection will find that the ransomware virus places one or more text files on the storage device named “_FILES_ENCRYPTED_README.txt”. This file instructs the device owner how to purchase the ability to decrypt their files. It is said that the first file can be decrypted for free to prove that the decryption process works.
The most recent firmware for the DNS-320 was 2.05.B10 released on July 18, 2016. BleepingComputer forum users currently believe that this attack is the result of one or more security vulnerabilities in this firmware.
As an I.T. professional, I consider any firmware that is over two years old to be “old” by I.T. standards. Consequently, I suggest replacing these NAS devices.
EDITED 04/21/2019: On April 11, 2019 D-Link released a Hot Fix to their firmware version 2.06 which is specifically designed to resolve the security flaw that was exploited by the Cr1pT0r Ransomware virus. Per D-Link, this patch will NOT recovery encrypted files. You can download the hot fix by clicking here.