CryptNet Ransomware Dissection
Earlier this week, security searchers reported the technical details of a new ransomware-as-a-service operation dubbed as Cryptnet Ransomware they’ve observed being advertised on dark web forums.
CryptNet has been advertised in underground forums for at least a month. The mode of operation is to perform double extortion attacks by combining data exfiltration with file encryption
The ransomware code is written in the .NET programming language and uses 256-bit AES in CBC mode and 2048-bit RSA to encrypt files. It has the code similarities with Chaos and yashma ransomware.
It has been observed that the sample analysed uses Eziriz .NET Reactor tool for obfuscation, which allows threat actors to remove the control flow and symbols obfuscation layers, but the important strings remain obfuscated in a resource section, which is encrypted using a custom algorithm.
The first action the ransomware takes is to generate a decryption ID for the ransom note, which “is composed of two hardcoded characters followed by 28 pseudorandom characters followed by two more hardcoded characters”
The symmetric encryption algorithm used in both cases is AES in CBC mode with a pseudo randomly generated 32-byte key and 16-byte initialization vector (IV) per file. Each file’s AES key will be encrypted with a hardcoded 2,048-bit RSA key.1
Sequence for encryption
- CryptNet will first loop through all directories for multiple drive letters
- CryptNet will encrypt all files that match preset extensions. Depending on the file size, the ransomware will encrypt parts of the file or the full file content.
- The RSA encrypted AES key is then prepended to the encrypted file content. During the encryption process, CryptNet will drop a ransom note
CryptNet will also remove Windows shadow copies and then delete the backup catalog if the ransomware has administrator privileges.
This research was documented by researchers from ZScaler Threat Labs
Indicators of Compromise