My NAS drive was recently infected by the Sharecenter - Cr1pT0r Ransomware. The following is a chronological order of events, strategy implemented for recovery and possible negotiation.
0 Day -
- discovered a file called _FILES_ENCRYPTRD_README.txt that had been repeated into several folders
- sandboxed a machine and accessed NAS
- the user i logged in with had the admin privileges stripped
logged in as the root admin
- attempted to open several files and could not
- attempted to delete several "remote" users that had been setup and they continued to replicate.
- Had a raid drive in the box so I removed it in case my tampering caused the main drive to format
- Started pulling older backup drives and dvds to see if I could get away with formatting and moving on.
1 Day -
- I initiated an account qtox and put in the contact code --
PHILOSOPHY - Be Patient, Portray inability to pay
I started off with "I would like to get a couple of my files back"
after almost 24 hours without hearing anything, I posted the following
[16:06:33] lockedout: well... I'm about ready to scrub everything and move on... too bad you froze files from a business i closed 3 years ago.
[20:46:42] Cr1ptT0r: Thank you for contacting us.
You can decrypt 2 files for free by sending via this chat software.
Private key for automated decryption of all files via the software is $1200 USD.
Only Bitcoin is accepted for payment.
Bitcoin can be bought here https://www.binance.com/en/buy-sell-crypto, https://www.coinbase.com/, https://localbitcoins.com/, https://paxful.com/ or other options can be found via Google.
Kind regards.
[22:35:38] lockedout: i send you 2 files, you decrypt for free.... Do I attach them in this chat using the paper clip?
[22:57:03] lockedout: Will this take long? I have to pull a double shift and have to leave soon.
[23:29:10] lockedout: hello?
[23:29:53] Cr1ptT0r: One moment
[23:30:21] Cr1ptT0r: Your case ID is dc89a1a6e552ef5542a444a514e67045f4640f7be261ed8067b3614ac5a2c82b
I then sent him my 2 most important files thru qtox and he quickly sent back decrypted.
From this point on I had all I needed and was willing to lose the rest of the files, but I wanted to see what I could negotiate.
[23:35:52] lockedout: trying to open to verify the files decrypted
[23:57:33] lockedout: 2nd file cant find download?
[00:04:18] lockedout: ok. they opened. but no way am i gonna pay 1200 when i only need about 20 of the files. what can we work out?
[00:04:50] Cr1ptT0r: How much can you pay?
[00:05:39] lockedout: I'll pay you $5 per file...
[00:05:57] Cr1ptT0r: For $200, I will give you the key for all files.
[00:07:31] lockedout: hmmm... hold on. I need to call into work and let them know I'm running late - can we work together to complete in the next hour?
[00:07:45] Cr1ptT0r: yes
[00:08:06] Cr1ptT0r: Or you can go work and we complete this later.
[00:08:19] Cr1ptT0r: Sometime there is a delay to make the payment.
[00:08:22] lockedout: im already late
[00:09:13] lockedout: what do you mean, delay?
[00:09:48] Cr1ptT0r: You need to open an account and they might do a id check before you can withraw the funds.
[00:11:01] lockedout: im registering now
[00:32:22] lockedout: ya, could take up to 24 hours to verify my identidy... so how do get my files back... they were all in my recycle bin
[00:33:06] lockedout: if its too complicated, then i dont know
[00:33:20] Cr1ptT0r: Once the payment is received you will get a text file with the key. Once the key is copied on the NAS
[00:33:45] Cr1ptT0r: it will decrypt all the files after reboot.
[00:34:50] lockedout: not sure i can put files on it. it said I didnt have access
[00:35:25] lockedout: i can read it, but not anything else
[00:35:27] Cr1ptT0r: You can put them in an archive and host them on filebin.net and I will decrypt them.
[00:36:04] Cr1ptT0r: Unless you know how to use linux then I can give you the decryption software.
[00:37:48] lockedout: uhhh... way over my head with all that... how bout I send you the files I need and you do them just like the last 2?
[00:38:23] Cr1ptT0r: If you put them in an archive and host them online we will probably save time.
[00:38:35] Cr1ptT0r: But you can send them one by one if you prefer.
[00:39:00] lockedout: its 750 gig of files bro to try and archive... I'm no genius
[00:39:04] lockedout: I might have a friend that can help
[00:40:27] Cr1ptT0r: For 750 gig you need to use the NAS or if your friend can help you then you can decrypt them by accessing the files via a system running linux (it can run from a usb thumb drive or a virtual machine).
[00:42:23] lockedout: i found the admin access
[00:42:53] Cr1ptT0r: If the device is running then I can probably install the key and reboot the device for you.
[00:45:14] Cr1ptT0r: According to my logs it will take about 101 hours to decrypt all files.
[00:45:35] Cr1ptT0r: But I can't access it right now.
[00:46:39] Cr1ptT0r: However you only need to save the text file on the root folder and reboot the device.
[00:46:57] lockedout: i intiated a buy ... i can do $150.00 not sure when it will complete. once it does, how do I pay you?
[00:48:21] Cr1ptT0r: Once you are ready please send your payment to this bitcoin address: 19znRShejmJLTktZ7F7FAekCgJYRkeds8
I created an account with localbitcoin and purchased $158.88 in coin.
2 DAY-
[10:38:12] lockedout: found someone to buy from. waiting for escrow release then i will send $150 us bitcoin to
[10:40:11] lockedout: ok... i have bitcoin in my wallet.
[10:41:11] lockedout: you there?
[10:43:27] lockedout: i bought all i could with whats in my account... 158.88 us in bitcoin - put all the bitcoin in the field to send, and it says the amount is $130.93 ... its all i got. good with that?
[10:46:13] lockedout: ive got about 10 minutes before my break is over and gotta go back...
[10:46:16] lockedout: hello?
[10:52:17] lockedout: hello?
[12:49:53] lockedout: checking in again...
[12:55:15] lockedout: im on my lunch break... can we finalize this thing?
[12:56:39] Cr1ptT0r: Im here.
[12:57:22] lockedout: saw my note about how much it will transfer after fee? $130.93... deal?
[12:57:53] Cr1ptT0r: ok
[12:58:22] lockedout: ok logging into localbitcoin now
[12:58:39] Cr1ptT0r: I will send you the instruction while I wait for payment.
[12:58:49] lockedout: ok
[12:58:49] Cr1ptT0r: 1. Save this key on the first folder of your device (Volume_1) and delete _cr1ptt0r_logs.txt
2. Reboot the device
3. After reboot you can see the progress in _cr1ptt0r_logs.txt and when all files will be decrypted the last line will say "done".
[12:59:57] lockedout: what do i put in as the description?
[13:00:10] Cr1ptT0r: Not needed.
[13:00:14] lockedout: ok
[13:03:03] lockedout: done
[13:03:35] Cr1ptT0r: It will take 1-2 minutes.
[13:04:48] Cr1ptT0r: Let me know if you need help. You can contact me again also when the process is completed if you need help to cleanup the device.
I followed his instructions and loaded the file he sent for the decryption key. It took 4 days to decrypt
I then contacted him again
[23:36:42] lockedout: how does the software get uninstalled when complete?
[23:38:09] Cr1ptT0r: I can give you a script that is run on the NAS or you need to format the hard drive.
[23:39:19] Cr1ptT0r: This is the script. You need to replace the existing fun_plug and reboot. It takes about 30sec then the device reboot again. To check that it is uninstalled you can delete _cr1ptt0r_logs.txt and reboot and the file should not be recreated.
[23:57:06] lockedout: thanks man
[23:58:07] Cr1ptT0r: You should also remove any port forward rule to the device and upgrade the firmware if available.
I then loaded his script, and followed his instructions.
Once done, I deleted the files and logs associated with the ransomware, installed the most updated firmware I could find, re-ran the setup software from an external source, and scanned the entire drive with updated virus scan by avast.
All clear, all files intact, out of pocket expense $158.88
I have BOTH the decryption key AND the fun pack file for removal
Author
Topic: DNS-325 Sharecenter - Cr1pT0r Ransomware - Negotiation & Recovery (Read 10393 times)