Cr1ptT0r Ransomware

The Cr1ptT0r Ransomware is an encryption ransomware Trojan that seems to target Network Assigned Storage (NAS) devices specifically. These are typically linked to servers using the Linux operating system. The Cr1ptT0r Ransomware has been distributed by taking advantage of the DNS-320 router developed by D-link. The various vulnerabilities associated with this router have meant that it has been discontinued, although it is still in use by many computer users. In 2018, a hard-coded backdoor into this router was observed, which can allow hackers to gain unauthorized access to the victim's network. The last time firmware was updated for this device was in 2016 so that this backdoor remains as a significant vulnerability for these devices, making them susceptible to many attacks.

How the Cr1ptT0r Ransomware Attacks a Computer

The criminals will distribute the Cr1ptT0r Ransomware's corrupted binary through the compromised router targeting NAS storage in the process. Once the Cr1ptT0r Ransomware has access to the victim's device, it uses a strong encryption algorithm to encrypt the victim's files, making them inaccessible. This is typical of how encryption ransomware Trojans function, making the victim's files inaccessible and then demanding a ransom payment to restore the compromised data. Examples of the files that are typically targeted by attacks like the Cr1ptT0r Ransomware:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The Cr1ptT0r Ransomware adds the string '_Cr1ptT0r_' to each compromised file. The Cr1ptT0r Ransomware also will drop a text file named '_FILES_ENCRYPTED_README.txt' on several locations on the infected computer. The Cr1ptT0r Ransomware's ransom note is contained in this text file, which reads as follows:

‘All your files have been encrypted using strong encryption!
For more information visit our website: https://openbazaar.com/store/home/QmcVHJWngBD67hhqXipFvhHcgv1RYLBGcpthew7d9pC3rq
If the website is unavailable you need to download the OpenBazaar application from: https://openbazaar.org/download/
You can then visit the store via this url: ob://QmcVHJWngBD67hhqXipFvhHcgv1RYLBGcpthew7d9pC3rq/store
We are also reachable via these instant messaging sotwares:
toxchat: https://tox.chat/download.html
User ID: [random characters]
bitmessage: https://bitmessage.org/wiki/Main_Page
User ID: BM-NBcQxmkfyoVxSRE8WJQqEbXw1s63CMEq
Kind regards from the Cr1ptT0r team.'

Dealing with a Cr1ptT0r Ransomware Attack

The criminals responsible for the Cr1ptT0r Ransomware attack demand a ransom payment of $1200, offering to decode individual files for $20. The victims are strongly advised against paying any ransom, however, since this serves to support the criminals in distributing threats like the Cr1ptT0r Ransomware further. It is especially necessary that computer users take steps to protect their devices and refrain from using the DNS-320 router since this has been the vector for several threats apart from the Cr1ptT0r Ransomware.