Ransomware

Technical Analysis of CryptNet Ransomware

Another New Ransomware Causing Chaos

Ransomware

 

Key Points

  • CryptNet is a new ransomware-as-a-service that has been advertised in underground forums since at least April 2023
  • The CryptNet threat group claims to perform double extortion attacks by combining data exfiltration with file encryption
  • The ransomware code is written in the .NET programming language
  • CryptNet uses 256-bit AES in CBC mode and 2048-bit RSA to encrypt files
  • The CryptNet ransomware codebase is closely related to Chaos ransomware

 

Zscaler ThreatLabz has been tracking a new ransomware group known as CryptNet that emerged in April 2023. The group claims to exfiltrate data prior to performing file encryption and hosts a data leak site hosted on a Tor hidden service that currently contains two victims. The group operating the ransomware is also actively recruiting affiliates on criminal forums to conduct breaches. The CryptNet ransomware code is written in .NET and obfuscated using .NET Reactor. After removing the obfuscation layer, CryptNet shares many resemblances to the Chaos ransomware families and the latest variant that is known as Yashma. The code similarities include the encryption methods, capabilities to disable backup services and delete shadow copies. CryptNet appears to have streamlined the Yashma code to improve the file encryption performance.

In this blog, we will analyze the features of CryptNet and the close relationship with Yashma ransomware.

 

Technical Analysis

Obfuscation

The CryptNet sample analyzed by ThreatLabz was obfuscated using Eziriz's .NET Reactor. The tool NetReactorSlayer is easily able to remove the control flow and symbols obfuscation layers, but the ransomware’s important strings remain obfuscated in a resource section, which is encrypted using a custom algorithm as shown in Figure 1.

Figure 1. Example CryptNet string decryption algorithm

 

ThreatLabz has reimplemented this custom encryption algorithm in Python here

After decryption, the strings are stored sequentially with each string preceded by a DWORD value (in little endian) representing its size (in red) as shown in Figure 2.

Figure 2. Decrypted .NET Reactor strings data structure

 

CryptNet then accesses each string by an offset into this structure.

 

Decryption ID

One of the first actions taken by the ransomware is to generate a decryption ID that will be added to the ransom note as shown in Figure 3.

Figure 3. CryptNet decryption ID generation

 

The decryption ID is composed of two hardcoded characters followed by 28 pseudorandom characters followed by two more hardcoded characters. Therefore, every encrypted system will have a unique decryption ID, although the victim can be determined by the hardcoded prefix and suffix characters.

 

File Encryption

After the victim ID is generated, the ransomware will start the main encryption routine as shown in Figure 4.

Figure 4. Main CryptNet encryption routine

 

CryptNet will first loop through all directories for each drive letter, excluding those shown in Table 1.

 

windows.old

windows.old.old

amd

nvidia

program files

program files (x86)

windows

$recycle.bin

documents and settings

intel

perflogs

programdata

boot

games

msocach


Table 1. Directories excluded by CryptNet from file encryption

 

The following file names in Table 2 are also excluded from file encryption.

 

iconcache.db

autorun.inf

thumbs.db

boot.ini

bootfont.bin

ntuser.ini

bootmgr

bootmgr.efi

bootmgfw.efi

desktop.ini

ntuser.dat

  


Table 2. File names excluded by CryptNet from file encryption 

 

CryptNet will encrypt all files that match the following extensions in Table 3.

 

.myd

.ndf

.qry

.sdb

.sdf

.tmd

.tgz

.lzo

.txt

.jar

.dat

.contact

.settings

.doc

.docx

.xls

.xlsx

.ppt

.pptx

.odt

.jpg

.mka

.mhtml

.oqy

.png

.csv

.py

.sql

.indd

.cs

.mp3

.mp4

.dwg

.zip

.rar

.mov

.rtf

.bmp

.mkv

.avi

.apk

.lnk

.dib

.dic

.dif

.mdb

.php

.asp

.aspx

.html

.htm

.xml

.psd

.pdf

.xla

.cub

.dae

.divx

.iso

.7zip

.pdb

.ico

.pas

.db

.wmv

.swf

.cer

.bak

.backup

.accdb

.bay

.p7c

.exif

.vss

.raw

.m4a

.wma

.ace

.arj

.bz2

.cab

.gzip

.lzh

.tar

.jpeg

.xz

.mpeg

.torrent

.mpg

.core

.flv

.sie

.sum

.ibank

.wallet

.css

.js

.rb

.crt

.xlsm

.xlsb

.7z

.cpp

.java

.jpe

.ini

.blob

.wps

.docm

.wav

.3gp

.gif

.log

.gz

.config

.vb

.m1v

.sln

.pst

.obj

.xlam

.djvu

.inc

.cvs

.dbf

.tbi

.wpd

.dot

.dotx

.webm

.m4v

.amv

.m4p

.svg

.ods

.bk

.vdi

.vmdk

.onepkg

.accde

.jsp

.json

.xltx

.vsdx

.uxdc

.udl

.3ds

.3fr

.3g2

.accda

.accdc

.accdw

.adp

.ai

.ai3

.ai4

.ai5

.ai6

.ai7

.ai8

.arw

.ascx

.asm

.asmx

.avs

.bin

.cfm

.dbx

.dcm

.dcr

.pict

.rgbe

.dwt

.f4v

.exr

.kwm

.max

.mda

.mde

.mdf

.mdw

.mht

.mpv

.msg

.myi

.nef

.odc

.geo

.swift

.odm

.odp

.oft

.orf

.pfx

.p12

.pl

.pls

.safe

.tab

.vbs

.xlk

.xlm

.xlt

.xltm

.svgz

.slk

.tar.gz

.dmg

.ps

.psb

.tif

.rss

.key

.vob

.epsp

.dc3

.iff

.opt

.onetoc2

.nrw

.pptm

.potx

.potm

.pot

.xlw

.xps

.xsd

.xsf

.xsl

.kmz

.accdr

.stm

.accdt

.ppam

.pps

.ppsm

.1cd

.p7b

.wdb

.sqlite

.sqlite3

.db-shm

.db-wal

.dacpac

.zipx

.lzma

.z

.tar.xz

.pam

.r3d

.ova

.1c

.dt

.c

.vmx

.xhtml

.ckp

.db3

.dbc

.dbs

.dbt

.dbv

.frm

.mwb

.mrg

.txz

.mrg

.vbox

.wmf

.wim

.xtp2

.xsn

.xslt

              


Table 3. File extensions encrypted by CryptNet


Depending on the file size, the ransomware will encrypt parts of the file or the full file content. If the file is less than 512KB in size, CryptNet will encrypt the full file. Otherwise, the code will encrypt just the first 128KB of data from the beginning, middle and end of the file as shown in Figure 5.

Figure 5. CryptNet encryption algorithm for large files 

 

The symmetric encryption algorithm used in both cases is AES in CBC mode with a pseudo randomly generated 32-byte key and 16-byte initialization vector (IV) per file. Each file’s AES key will be encrypted with a hardcoded 2,048-bit RSA key. The ransomware stores the RSA key as an encrypted string in XML format with the RSA modulus and exponent base64 encoded as shown below:

<RSAKeyValue><Modulus>8TO8tQQRyFqQ0VShtSpLkDqtDVsrxS8SfdOsqRAj8mWF7sVoGzyZMcv501DF6iZUdKYsFDlaSMnuckG9+MJmD2ldZwU/0H6Xztkta1BkJWSO2qHg2JAGDp9ZsFGP1wDR9oRb1w7wtBe7Db3wf7q848+qKPWiTP/2R/jlR4evW73M65Jdo9uOzQnbmvw+blsloXeszuYlW2nCcwQ7WarzAK29UmM9ZHS0/lqzU0KHNU+DvyfGwmMJgtb2HN6GFGXq9Z0n3dNBCQVzdUl2G/7fLAMoFbJeExn5USZdFHr2ygheTilo/shmfq7tcPCZM8C4zqBtb0Nbct0f/M48+H920Q==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>

The RSA encrypted AES key is then prepended to the encrypted file content. 

 

Ransom note and finishing actions

During the encryption process, CryptNet will drop a ransom note with the name RESTORE-FILES-[9 random chars].txt containing the following text:

 

*** CRYPTNET RANSOMWARE ***

--- What happened? ---

All of your files are encrypted and stolen. Stolen data will be published soon
on our tor website. There is no way to recover your data and prevent data leakage without us
Decryption is not possible without private key. Don't waste your and our time to recover your files. 
It is impossible without our help

--- How to recover files & prevent leakage? ---

To make sure that we REALLY CAN recover your data - we offer FREE DECRYPTION for warranty. 
We promise that you can recover all your files safely and prevent data leakage. We can do it!

--- Contact Us---

Download Tor Browser - https://www.torproject.org/download/ and install it
Open website:  http://cryptr3fmuv4di5uiczofjuypopr63x2gltlsvhur2ump4ebru2xd3yd.onion
Enter DECRYPTION ID:  [DECRYPTION ID]

 

CryptNet will then proceed to change the wallpaper and kill the following processes in Table 4.

 

sqlwriter

sqbcoreservice

VirtualBoxVM

sqlagent

sqlbrowser

sqlservr

code

steam

zoolz

agntsvc

firefoxconfig

infopath

synctime

VBoxSVC

tbirdconfig

thebat

thebat64

isqlplussvc

mydesktopservice

mysqld

ocssd

onenote

mspub

mydesktopqos

CNTAoSMgr

Ntrtscan

vmplayer

oracle

outlook

powerpnt

wps

xfssvccon

ProcessHacker

dbeng50

dbsnmp

encsvc

excel

tmlisten

PccNTMon

mysqld-nt

mysqld-opt

ocautoupds

ocomm

msaccess

msftesql

thunderbird

visio

winword

wordpad

mbamtray

        


Table 4. Processes terminated by CryptNet

 

Additionally, if the ransomware is run with administrator privileges, CryptNet will stop the list of services shown in Table 5.
 

BackupExecAgentBrowser

veeam

VeeamDeploymentSvc

PDVFSService

BackupExecVSSProvider4

BackupExecAgentAccelerator

svc

AcrSch2Svc

AcronisAgent

Veeam.EndPoint.Service

CASAD2DWebSvc

CAARCUpdateSvc

YooIT

memtas

sophos

DefWatch

ccEvtMgr

SavRoam

RTVscan

QBFCService

Intuit.QuickBooks.FCS

YooBackup

BackupExecRPCService

MSSQLSERVER

backup

GxVss

GxBlr

GxFWD

GxCVD

GxCIMgr

VeeamNFSSvc8

BackupExecDiveciMediaService

SQLBrowser

SQLAgent$VEEAMSQL2008R2

SQLAgent$VEEAMSQL2012

VeeamDeploymentService

BackupExecJobEngine

Veeam.EndPoint.Tray6

BackupExecManagementService

SQLAgent$SQL_2008

zhudongfangyu

stc_raw_agent

QBCFMonitorService

VeeamTransportSvc

VSNAPVSS$
 

Table 5. Services stopped by CryptNet

 

CryptNet will also remove Windows shadow copies and then delete the backup catalog if the ransomware has administrator privileges. To perform those actions, the following commands are executed:

vssadmin delete shadows /all /quiet & wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet

 

Victim Portal and Data Leak Site

When a victim accesses the Tor hidden service in the ransom note, a login screen prompts the user to enter a decryption ID and solve a captcha as shown in Figure 6.

 

Figure 6. CryptNet victim ransom portal

 

After the decryption ID is entered, the victim is presented with a timer and an option to test file decryption as shown in Figure 7.