In April 2023, a new ransomware group called CryptNet appeared for the first time, whose activities have now been analyzed by the security analysts of the Zscaler ThreatLabz team. The new group sells their ransomware-as-a-service in underground forums and recruits partners for their criminal activities there.
The analysts now examined the modus operandi of the current campaign, which according to the threat actors steals data from affected companies before decryption in order to reinforce their ransom demands by publishing them on a data leak website.
CryptNet ransomware code is written in .NET and obfuscated with .NET Reactor. The malware uses 256-bit AES in CBC mode and 2048-bit RSA to encrypt files. After removing the obfuscation layer, CryptNet shares many similarities with the Chaos ransomware families and their latest variant called Yashma. Similarities in the code include encryption methods, disabling backup services, and shadow copy deletion. CryptNet appears to be based on Yashma’s code, but has improved file encryption performance.
One of the ransomware’s first actions is to generate an ID, which is added to the ransomware message. It consists of two hard-coded characters followed by 28 pseudo-random numbers and hard-coded characters at the end. In this way, each encrypted system is given a unique decryption ID and the attackers can identify the victim by opening and closing credits. After creating this ID, the actual encryption routine begins. During the encryption process, CryptNet creates a ransom note called RESTORE-FILES-[9 random chars].txt.
CryptNet is a simple but effective ransomware that has taken the popular Chaos and Yashma codebase and increased file encryption efficiency. The code isn’t particularly advanced, but the algorithms and implementation are cryptographically secure. The group claims to be conducting dual blackmail attacks, following the trend of advanced threat actors. Zscaler’s multi-layered cloud security platform detects indicators of CryptNet at different levels under the name Win32.Ransom.CryptNet.