CryptNet: Ransomware-as-a-Service with obfuscation

B2B Cyber ​​Security ShortNews

Share post

The ransomware group CryptNet has been active since April 2023. Their malware, which is also offered as ransomware-as-a-service on the dark web, is simple but arguably effective and well-disguised against detections. An analyst from the Zscaler ThreatLabz team.

The new group sells their ransomware-as-a-service in underground forums and recruits partners for their criminal activities there. The analysts now examined the modus operandi of the current campaign, which according to the threat actors steals data from affected companies before decryption in order to reinforce their ransom demands by publishing them on a data leak website.

Ransomware including obfuscation

CryptNet ransomware code is written in .NET and obfuscated with .NET Reactor. The malware uses 256-bit AES in CBC mode and 2048-bit RSA to encrypt files. After removing the obfuscation layer, CryptNet shares many similarities with the Chaos ransomware families and their latest variant called Yashma. Similarities in the code include encryption methods, disabling backup services, and shadow copy deletion. CryptNet appears to be based on Yashma's code, but has improved file encryption performance.

One of the ransomware's first actions is to generate an ID, which is added to the ransomware message. It consists of two hard-coded characters followed by 28 pseudo-random numbers and hard-coded characters at the end. In this way, each encrypted system is given a unique decryption ID and the attackers can identify the victim by opening and closing credits. After creating this ID, the actual encryption routine begins. During the encryption process, CryptNet creates a ransom note called RESTORE-FILES-[9 random chars].txt.

Simple but effective ransomware-as-a-service

CryptNet is a simple but effective ransomware that has taken the popular Chaos and Yashma codebase and increased file encryption efficiency. The code isn't particularly advanced, but the algorithms and implementation are cryptographically secure. The group claims to be conducting dual blackmail attacks, following the trend of advanced threat actors. Zscaler's multi-layered cloud security platform detects indicators of CryptNet at different levels under the name Win32.Ransom.CryptNet.

More at


About Zscaler

Zscaler accelerates digital transformation so customers can become more agile, efficient, resilient, and secure. Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting people, devices, and applications anywhere. The SSE-based Zero Trust Exchange is the world's largest inline cloud security platform, distributed across 150+ data centers around the world.


Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more