The ransomware group CryptNet has been active since April 2023. Their malware, which is also offered as ransomware-as-a-service on the dark web, is simple but arguably effective and well-disguised against detections. An analyst from the Zscaler ThreatLabz team.
The new group sells their ransomware-as-a-service in underground forums and recruits partners for their criminal activities there. The analysts now examined the modus operandi of the current campaign, which according to the threat actors steals data from affected companies before decryption in order to reinforce their ransom demands by publishing them on a data leak website.
Ransomware including obfuscation
CryptNet ransomware code is written in .NET and obfuscated with .NET Reactor. The malware uses 256-bit AES in CBC mode and 2048-bit RSA to encrypt files. After removing the obfuscation layer, CryptNet shares many similarities with the Chaos ransomware families and their latest variant called Yashma. Similarities in the code include encryption methods, disabling backup services, and shadow copy deletion. CryptNet appears to be based on Yashma's code, but has improved file encryption performance.
One of the ransomware's first actions is to generate an ID, which is added to the ransomware message. It consists of two hard-coded characters followed by 28 pseudo-random numbers and hard-coded characters at the end. In this way, each encrypted system is given a unique decryption ID and the attackers can identify the victim by opening and closing credits. After creating this ID, the actual encryption routine begins. During the encryption process, CryptNet creates a ransom note called RESTORE-FILES-[9 random chars].txt.
Simple but effective ransomware-as-a-service
CryptNet is a simple but effective ransomware that has taken the popular Chaos and Yashma codebase and increased file encryption efficiency. The code isn't particularly advanced, but the algorithms and implementation are cryptographically secure. The group claims to be conducting dual blackmail attacks, following the trend of advanced threat actors. Zscaler's multi-layered cloud security platform detects indicators of CryptNet at different levels under the name Win32.Ransom.CryptNet.
More at Zscaler.com
About Zscaler Zscaler accelerates digital transformation so customers can become more agile, efficient, resilient, and secure. Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting people, devices, and applications anywhere. The SSE-based Zero Trust Exchange is the world's largest inline cloud security platform, distributed across 150+ data centers around the world.