D‑Link NAS Ransomware Vulnerability

28 February, 2019

On February 22, 2019, D-Link was made aware that the Cr1ptT0r Ransomware was affecting some D-Link Network Attached Storage (NAS): DNS-320 Ax/Bx, DNS-325, DNS-320L, and DNS-327L. D-Link has recently become aware that the following additional models are also vulnerable to the Cr1ptT0r Ransomware: DNS-323 Ax/Bx/Cx, DNS-345, DNS-343, and DNS-340L.

 

Description of Ransomware Security Issue:

In a Ransomware attack, the Ransomware encrypts stored information and then demands payment to decrypt the information. Based on the information currently available to us, the antivirus companies have not yet created a new tool to decrypt information attacked by the Cr1ptT0r Ransomware (or Ransomware family). To recover the encrypted information, users will need to retrieve the data from their previous backup.  

 

The models in the table below may be affected by the Cr1ptT0r Ransomware. For owners of these products, we urge you to take the following actions promptly:

 

Model

H/W Version

Latest F/W Version

Actions to take

DNS-320

Ax

2.06

Disable the Internet connection to NAS

DNS-320

Bx

1.03

Disable the Internet connection to NAS

DNS-323

Ax

1.03

Disable the Internet connection to NAS

DNS-323

Bx

1.07

Disable the Internet connection to NAS

DNS-325

Ax

1.05

Disable the Internet connection to NAS

DNS-345

Ax

1.05

Disable the Internet connection to NAS

DNS-323

Cx

1.10

Update to latest firmware version

DNS-343

Ax

1.05

Update to latest firmware version

DNS-320L

Ax

1.11

Update to latest firmware version

DNS-327L

Ax

1.10

Update to latest firmware version

DNS-340L

Ax

1.08

Update to latest firmware version

 

Ransomware is a virus that attacks a device. Firmware updates are often directed to addressing security vulnerabilities in the devices that may be exploited by Internet attacks such as a ransomware attack. However, once the device is infected by the virus, firmware updates will not restore your data. Antivirus companies have created new tools to address past ransomware attacks and may develop decrypting tools to address the Cr1ptT0r Ransomware in the future. Until that time, to better protect your devices from Internet viruses, malware and ransomware:

 

1.       Do not connect these devices directly to the Internet and/or port-forward services directly from the Internet.

2.       Keep device firmware up-to-date.

3.       Any computer accessing information on these devices should have appropriate antivirus protection and malware protection enabled.

4.       Regular back-ups of stored information on these devices should occur in case a disaster recovery is needed.

 

DNS-320 Ax/Bx, DNS-323 Ax/Bx, DNS-325 Ax, and DNS-345 Ax have passed their end of service date as displayed on its product support page. For these models, please remove the Internet access of NAS on your router by disabling the port forwarding and DMZ setting.

Once a product is end of service, it is no longer supported by D-Link through customer support and it does not receive software/firmware updates.

 

D-Link End of Life policy can be found here: http://eu.dlink.com/eol