Cr1ptT0r Ransomware

The Cr1ptT0r Ransomware is a file-locking Trojan that encrypts documents, pictures, and other formats of media before demanding a ransom. Its attacks focus on Network-Attached Storage or NAS devices currently and may be abusing old software vulnerabilities for compromising them. The users should patch these devices appropriately, keep backups secure from Internet-based attacks, and have anti-malware products available for finding and removing the Cr1ptT0r Ransomware as opportunity allows.

The Next Criminal Business Aiming for NAS

Including network-connected storage drives in attempts at locking and ransoming media is an archetypal behavior within the Ransomware-as-a-Service industry, and is a reasonable descriptor of families like the Scarab Ransomware, Globe Ransomware, and the Dharma Ransomware. What's not quite as commonplace as that is tailoring attacks specifically to NAS or Network-Attached Storage firmware, which can provide infection strategies, along with data for targeting. The Cr1ptT0r Ransomware is the successor to this philosophy of Trojan infection, which it shares with the Mailrepa.lotos@aol.com Ransomware and the much older SynoLocker Ransomware.

The Cr1ptT0r Ransomware is a project unto itself instead of a variation on a preexisting family of file-locking Trojans. Its infection vectors are targeting D-Link DNS-320 NAS devices, with unpatched firmware being a significant facilitator of these attacks. Naturally, the devices must include an available network connection for letting the remote attacker access it in the first place.

The Cr1ptT0r Ransomware, which is an ELF with a limited detection rate versus AV products, also has an uncommon way of locking the device's media. The Cr1ptT0r Ransomware uses an asymmetrical, two-layer locking routine with a curve25519xsalsa20poly1305 algorithm from the Sodium library. Without the second key that the threat actor is holding for ransom, the files will remain non-opening. Malware analysts also confirm the absence of any extensions, or other name edits, to the content that the Trojan locks.

Storage that will not Disappoint Your Files

Although there remain some not-unimportant vulnerabilities in the DNS-320, installing all security fixes for its firmware will cut the scope of possibilities for an attack by the Cr1ptT0r Ransomware's team sharply. The users can protect their NAS backups additionally by using appropriately-secure passwords, being cautious about interactions with e-mail messages (which are a high-rate infection vector for file-locking Trojans, especially those harming businesses), and enabling automatic updates for the firmware. Malware researchers don't expect free decryption for the Cr1ptT0r Ransomware's becoming available without exceptional developments in the campaign's key-handling behavior.

The Cr1ptT0r Ransomware's ransom and distribution both fit the case of its harming the business sector preferentially. The Cr1ptT0r Ransomware detailed ransoming message provides a series of support links for various platforms, including an OpenBazaar-based payment method. The same page, also, offers decryption for the 2014's SynoLocker Ransomware at similar prices, which suggests that the threat actors have access to that Trojan's old database of keys. Regardless of whether or not you pay, have your anti-malware programs ready for removing the Cr1ptT0r Ransomware before re-securing your devices as required.

Although buying one's way out of a the Cr1ptT0r Ransomware infection isn't cheap, it's becoming the norm, with competition like the B0r0nt0k Ransomware. Assuming that your files have any value to you, the cost of a lazy backup strategy is becoming more and more unreasonable as the year progresses.