Keypoints
- Emergence: CryptNet surfaced in April 2023 as a ransomware-as-a-service and claims to perform double extortion (data theft + encryption).
- Codebase/obfuscation: Implemented in .NET and obfuscated with Eziriz .NET Reactor; control flow/symbols can be removed but strings remain encrypted in a resource section protected by a custom algorithm.
- Cryptography: Uses AES-256 in CBC mode with a per-file 32-byte key and 16-byte IV; each AES key is encrypted with a hardcoded 2048-bit RSA key and prepended to the encrypted file.
- File handling: Fully encrypts files <512KB; for larger files it encrypts three 128KB chunks (start, middle, end) to improve performance.
- Exclusions & targets: Skips many system directories and specific filenames; targets a very large list of user and data file extensions for encryption.
- Destructive actions: Terminates numerous user and backup-related processes, stops backup services (if run as admin), deletes shadow copies and the backup catalog using specific vssadmin/wmic/bcdedit/wbadmin commands.
- Relation to other families: CryptNet closely mirrors Chaos/Yashma code but streamlines concurrency (Tasks per directory) and partial-file encryption to speed operation.
MITRE Techniques
- No MITRE ATT&CK techniques are explicitly referenced in the article.
Indicators of Compromise
- [File Hash] CryptNet sample SHA256 – 2e37320ed43e99835caa1b851e963ebbf153f16cbe395f259bd2200d14c7b775
- [Domain / Tor hidden service] Victim portal / data leak site – cryptr3fmuv4di5uiczofjuypopr63x2gltlsvhur2ump4ebru2xd3yd.onion
- [Ransom note filename] Ransom note pattern dropped to victims – RESTORE-FILES-[9 random chars].txt
CryptNet’s binary is a .NET program obfuscated with .NET Reactor; standard deobfuscation tools (e.g., NetReactorSlayer) remove control-flow and symbol protections but leave a resource section containing strings encrypted with a custom algorithm. After decrypting that resource, strings are stored sequentially with a preceding 32-bit little-endian length for each string and accessed by offsets. The loader generates a unique decryption ID per victim composed of a two-character hardcoded prefix, 28 pseudorandom characters, and a two-character hardcoded suffix; that ID is included in the ransom note and used by the Tor portal to validate victims.
For encryption, CryptNet enumerates drives and directories while skipping many system folders and filenames, then processes files by extension. It uses a per-file ephemeral AES-256 key (32 bytes) and a 16-byte IV in CBC mode; for files under 512KB it encrypts the full content, while for larger files it encrypts three 128KB regions sampled from the beginning, middle, and end of the file to reduce runtime. Each file’s AES key is encrypted with an embedded 2048-bit RSA public key stored in XML (base64-encoded modulus and exponent); the RSA-encrypted AES key is prepended to the encrypted payload in the file output. Concurrency is implemented with Tasks that process directories in parallel to improve throughput compared with previous codebases.
Post-encryption actions include dropping a RESTORE-FILES-[id].txt ransom note, changing the desktop wallpaper, terminating numerous user/database/backup-related processes, and—when running with administrator privileges—stopping an extensive list of backup services and executing commands to remove shadow copies and backup catalogs. The exact commands executed are: vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet. Victims are directed to a Tor hidden service where they can enter their decryption ID, test a decryption, and communicate with operators via a chat interface; the actors operate a public leak site on Tor for stolen data.
Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-cryptnet-ransomware