Cr1ptT0r ransomware (Decryption Steps Included) - updated Feb 2019

What is Cr1ptT0r ransomware?

Cr1ptT0r is the cryptovirus that affects files on the network storage and requires ransom to get files back

Cr1ptT0r is the ransomware virus that locks users' files and asks to pay for the alleged decryption.

Cr1ptT0r is not the typical ransomware that encrypts data. It does that by using the “curve25519xsalsa20poly1305” for asymmetric encryption. Additionally, the virus appends no extensions. Generally, it targets network attached storage (NAS) devices that are connected to the internet. Research showed that only D-Link DNS-320 equipment is affected, which is an outdated device and is no longer sold by the developer, although support is still provided. Unfortunately, DNS-320 is known to have multiple bugs that can be exploited by hackers, and the latest firmware update came out back in 2016. Cr1ptT0r ransomware virus is focusing on English-speaking users because the ransom note gets delivered in a _FILES_ENCRYPTED_README.txt file and contains more information about the attack.^[1] The developers are asking 0.3 BTC for locked files and are requiring to contact them via the OpenBazaar website or via instant messaging apps. There is an option to purchase decryption for a single file which costs $19.99. In addition to the ransom note, an extra file _cr1ptt0r_support.txt gets delivered to your device which contains the address of the Tor site. This allows crooks to remotely execute shell commands, which can be used in case the victim does not know what to do next.

Cr1ptT0r ransomware virus delivers a text file with additional information and addresses of Bitcoin wallets, instant messaging apps. The latter is the preferred communication method of these cybercriminals. However, we do not recommend contacting them because it may lead to permanent money or even data loss, as many research shows.^[2]

Since Cr1ptT0r is the ransomware, developers are not focusing on recovering your data. The primary focus is to lock data and gain profit from victims. The Cr1ptt0r team delivers two text files named _cr1ptt0r_support.txt and _FILES_ENCRYPTED_README.txt that include addresses on the Tor network and links to OpenBazaar website.

The ransom note reads the following:

If you are then probably not encrypted!
The decryption keys are available for sale. Individual file decryption is also available. First decryption is possible.
The private key is used to encrypt. Without this key it is imposible to decrypt any file. The public key (user id) is stored.
A text file named “_cr1ptt0r_logs.txt”.
Fell free to contact us via these methods:
bitmessage: BM-NBcQxmkfyoVxSRE8WJQqEbXw1s63CMEq
tox: AE737ECB916BE24B41543BAD5B24710C5B9DB701592013A6EBBCC0A544931E6145C7D950B82F
Kind regards from the Cr1ptT0r team.

These messages may differ from version to version of Cr1ptT0r. Another version:

If you are here, then probably all your files are encrypted!
Decryption keys are available for sale. Individual file decryption is also available. The first file is decoded for FREE to prove that decryption is possible.
The private key used to encrypt files is created on our secure server. Without this key it is impossible to decrypt any file.
The public key (user ID) is stored in each file so that you can match the device with the correct key pair.The only thing needed to restore all the files is any encrypted file sent to us via the instant messenger.
The list of encrypted files is stored on the device in a text file named “_cr1ptt0r_logs.txt”.
Contact us through OpenBazaar chat or one of the following ways:
the tox: AE737ECB916BE24B41543BAD5B24710C5B9DB701592013A6EBBCC0A544931E6145C7D950B82F
bitmessage: the BM-NBcQxmkfyoVxSRE8WJQqEbXw1s63CMEq
If there are any problems with the website OpenBazaar or desktop application, the payment is completed through a messenger.
Customer support is fast and we guarantee full data recovery after payment.
Best wishes from Cr1ptT0r team.

Initially, the virus is not marking encrypted files with any file appendix. However, some research by Michael Gillespie showed that an end-of-file marker _Cr1ptT0r_ is added to the encrypted data.^[3] Furthermore, researchers analyzed provided samples and revealed that all ransom notes include the same Bitcoin link, victims' ID, URLs.

The _cr1ptt0r_support.txt file allows hackers to access the device remotely, although, according to the interview with hackers themselves, they said that they do not have any interest in personal information extortion are and are only care about the money. However, it does expose victims of Cr1ptT0r to potentially unlimited spying.

There is little to no possibility that your files would get decrypted by these criminals, so remove Cr1ptT0r ransomware and then use data recovery tools, software or features to restore those files. Initially, the recognition rate of malware was relatively low, but currently, it is detected by 28 AV engines under such names as:

• HEUR:Trojan-Ransom.Linux.Cryptor.c
• ELF:Filecoder-AC [Trj]
• Linux.Exploit.DCPC
• a variant of Linux/Filecoder.Q
• LINUX/Encoder.yntew, etc.

Therefore, researchers^[4] advise using reputable software that can detect and eliminate the threat. Additionally, users who use D-Link's DNS-320 should update to latest firmware, although no guarantees can be provided due to the buggy core of the device itself. Cr1ptT0r team said that developers would have to fundamentally rebuild it in order to make it flaw-free.

Because Cr1ptT0r seems to be infecting NAS devices on Linux, malware's primary target are small businesses that store data internally, which explains a quite hefty ransom demand. The virus authors told that the malware could be adapted to Windows operating systems as well, so the infection rate increase can be expected in the near future. In case that happens, we recommend users using FortectIntego for full Cr1ptT0r removal.

Cr1ptT0r ransomware is the cryptovirus that modifies data on NAS using the AES and RSA encryption algorithms.

System vulnerabilities may lead to ransomware infections

There is no specific information about exploit kits or other flaws that get used to distribute the particular threat, but it is one of the more common methods employed to spread ransomware. Also, older software models or outdated firmware can be more vulnerable than those that have been recently updated.

Also, avoid clicking on spam emails with suspicious content or file attachments because malicious macros get added to documents, executables or ZIP archives and when the user downloads and opens the malicious attachment script gets triggered and launches a payload on the targeted device.

Eliminate Cr1ptT0r ransomware from the system using professional antivirus programs

You should focus on Cr1ptT0r ransomware removal and remember that this process requires help from reliable anti-malware tools. Do not try to perform elimination procedure yourself, as the malware is complicated and requires advanced computer knowledge.

Employ your trustworthy antivirus tools or programs to remove Cr1ptT0r from the system. Make sure to get those tools from the official sources to avoid additional infiltration or use software that we suggest in this article. Remember not to start the recovery procedure before all the malicious components are eliminated on the system.