Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 160: BEWARE OF Cr1ptor RANSOMWARE
Reference Number: ACG-CSB 030119160
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security
The ACG has previously published Cyber Security Bulletin Number 41 with title Understanding Crypto Ransomware specially to educate the public especially PNP offices and units about severe threat that it could bring to systems any organization uses. Ransomware is a malicious software or “malware” that encrypts all files in a unsecured network or computer system. Cybercriminals behind these ransomwares demand for payments in exchange of decrypting or recovering files of the victim. Ransomware comes in various forms targeting common or specific cyber infrastructure that are vulnerable for exploits.
“Cr1ptTor” is a kind of ransomware built for embedder systems target Network Attached Storage (NAS) equipment exposed to the internet to encrypt data available on it. “Cr1ptTor” was first discovered in the Bleeping Computer forums where users stated that their D-Link DNS-320 devices were infected by the ransomware. D-Link no longer sells the DNS-320 enclosure but the product page indicates that it is still supported. However, the newest firmware revision came out in 2016 and there are plenty of known bugs that can be leveraged to compromise the equipment. Scanning the malicious ELF binary on Thursday showed a minimum detection rate on VirusTotal, with only one antivirus engine identifying Cr1ptTor as a threat. Recently, the malware was picked up by at least six antivirus engines.
Cybersecurity forum members offer information suggesting that the attack vector is most likely vulnerabilities in old firmware. Accordingly, there are so many vulnerabilities in D-Link DNS-320 NAS models that they should be built from scratch to make things better. Although old versions of the firmware for DNS-320 are known to be vulnerable to at least one bug leading to remote code execution, a hard coded backdoor was published in 2018 for Share Center DNS-320L. Some users affected by Cr1ptTor admitted to having an outdated firmware version installed and that their device was exposed to the internet at the time of the attack.
PNP offices and units especially IT/System Administrator should whether they are using a D-Link NAS being used as storage. If there are any, immediately remove the said device from the network and make the necessary back-up and update of firmware to avoid being compromised by Cr1ptTor Ransomware. PNP personnel should be responsible in the periodic checking of the current processes running on computer stations including the hardware and software that their offices are dependent with. It is best to install cybersecurity solution to thwart off malicious software particular ransomware. It is a best practice to have a periodic back-up protocol to have redundancy in case such threat compromised our system.
All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of Advance Cr1pTor Ransomware:
- Backup your files regularly. In case you will be affected by this threat, you can easily reformat your computer system and restore back-up files without losing years worth of data of you organization or company;
- Have a business class antivirus installed and perform regular updates on the server and computers. Use of Endpoint Protection Cloud Edition solutions are highly Recommended;
- Keep all software up to date. Apply stable and secure updates as soon as they become available to patch up vulnerabilities that hacker exploit;
- Make sure that business has a firewall installed on the network and turned on at all times;
- If using Microsoft Operating System, Download Microsoft Security Essentials which is free or use another reputable antivirus and anti-malware program;
- Avoid clicking on any links or attachments from unknown senders which can install malwares and redirect you to compromised webpages hat can infect your computers.
- Always scan your computers and external storages such as USBs;
- Be wary in visiting unsecured websites and downloading software. Recently, ransomware has been found in advertisement on popular sites and often mines “free” software are embedded with malware; and
- Do not contact the hackers or pay ransom; you would only inform the hackers that your files are extremely important.
For additional information, please refer to the following websites:
POINT OF CONTACT