main point
CryptNet is a new ransomware-as-a-service that has been promoted on underground forums since at least April 2023.
Threat group CryptNet claims to execute double-edged ransom attacks by combining data extraction with file encryption
Ransomware code is written in .NET programming language
CryptNet encrypts files using 256-bit AES and 2048-bit RSA in CBC mode
CryptNet ransomware codebase closely related to Chaos ransomware
Zscaler ThreatLabz discovered a new ransomware group called CryptNet, which appeared in April 2023. The group claims to exfiltrate data before encrypting files and runs a data leak page hosted on a hidden Tor service, which currently has two victims. The groups behind ransomware are also actively recruiting partners in criminal forums to break the law. CryptNet ransomware code is written in .NET and shielded using .NET Reactor. After removing the obfuscation layer, CryptNet shares many similarities with the Chaos ransomware family and the latest variant, Yashma. Code similarities include encryption methods, the ability to disable backup services and delete shadow copies. CryptNet appears to have optimized the Yashma code to improve file encryption performance.
In this blog, we analyze the characteristics of CryptNet and its close connection with the Yashma ransomware.
technical analysis
cover up
The CryptNet samples analyzed by ThreatLabz were obfuscated using Eziriz's .NET Reactor. The NetReactorSlayer tool easily removes the control flow and symbol masking layers, but important ransomware strings remain in the resource section encrypted with a custom algorithm, as shown in Figure 1.
Figure 1. Example of the CryptNet algorithm used to decrypt a string
ThreatLabz reimplemented this custom encryption algorithm in Python here.
After decryption, the strings are stored sequentially, with each string preceded by a DWORD value (little endian) indicating its size (red), as shown in Figure 2.
Figure 2. The decrypted data structure of a .NET Reactor array
CryptNet then accesses each string by its offset in this structure.
Decrypt ID
The first action of the ransomware is to generate a decryption ID and add it to the ransom note, as shown in Figure 3.
Figure 3. CryptNet decryption ID generation
The decryption ID consists of two hardcoded characters, followed by 28 pseudorandom characters, followed by two hardcoded characters. Therefore, each encryption system has a unique decryption ID, although victims can be identified by hard-coded prefix and suffix characters.
encrypt documents
After generating the victim ID, the ransomware runs the main encryption routine, as shown in Figure 4.
Figure 4. The main CryptNet encryption routine
CryptNet first traverses all directories on each drive letter except those listed in Table 1.
prozori.stari
prozori.stari.stari
AMD
Nvidia
program files
Program Files (x86)
window
$ recycle bin
Documentation and Settings
Intel
performance log
program data
Stafford
game
msocach
Table 1. Directories excluded by CryptNet from file encryption
The following filenames in Table 2 are also excluded from file encryption.
icon cache.db
Start automatically. information
thumb.db
boot settings
bootfont.bin
user profile
boot manager
boot manager file
bootmgfw.efi
desktop. this
ntuser.dat
Table 2. File names that CryptNet excludes from file encryption
CryptNet encrypts all files matching the following extensions in Table 3.
. swelling
.ndf file
.qry
.sdb
.sdf
.tmd
.tgz
.lzo
。TXT
. Kruger
. this
. touch
. it's time
.doc
.docx
.xls
.xlsx
.ppt
.pptx
.odt
.jpg
.mka
.mhtml
. or
.png
.csv
.py
.sql
.indd
。CS
.mp3
.mp4
.dwg
. shutter
.rar
.mov
.rtf file
.bmp file
.mkv
.avi
.apk
. shortcut
. return
.dic
diff file
.mdb
.php
.asp
.aspx
.html
.htm
.xml
.psd
.xla
. cub
.dae
.divx
.iso
.7zip
.pdb
.ico
. yes
。D b
.wmv
.swf file
.cer
.bak
.Backup
.accdb
. bay
.p7c
.exif
.vss
.roh
.m4a
.wma
. as
.arj
.bz2
. taxi
.gzip
.lzh
.Tell
.jpeg
.xz
.mpeg
. torrent
.mpg file
. Kern
.flv
. Then
. total
.bank
. wallet
.css
.js
.rb
.crt
.xlsm
.xlsb
.7z
.cpp
.Java
.jpe
. this
. get dirty
.wps file
.docm
.wav
.3gp
.gif
. protocol
.gz
.config
.vb
.m1v
.sln
. PST
.obj
.xlam
.djvu
.inc
.cvs
.dbf
.tbi
.wpd
.period
.dotx
.webm
.m4v
.amv
.m4p
.svg
.ods
.bk
.vdi
.vmdk
.onepkg
.accde
.jsp
.json
.xltx
.vsdx
.uxdc
.udl
.3ds
.3fr
.3g2
.accda
.accdc
.accdw
.adp
.ai
.ai3
.ai4
.ai5
.ai6
.ai7
.ai8
.rauh
.ascx
.asm
.asmx
.avs
. container
.cfm
.dbx
.dcm
.dcr
.Bild
.rgbe
.dwt
.f4v
.exr
...
.maks
.mda
.mde
.mdf file
.mdw
.mht
.mpv
. information
. sold out
.nef
.odc
.geo
. Quickly
.odm
.odp
. often
.orf
.pfx
.p12
.pl
.pls
. certainly
. Label
.vbs
.xlk
.xlm
.xlt
.xltm
.svgz
.slk
.tar.gz
.dmg
.p.s
.psb
.tif
.rss
. taste
.vob
.epsp
.dc3
.iff
. choose
.onetoc2
.nrw
.pptm
.potx
.potm
. pot
.xlw
.xps
.xsd
.xsf
.xsl
.kmz
.accdr
.stm
.accdt
.ppam
.pps
.ppsm
.1CD
.p7b
.wdb
.sqlite
.sqlite3
.db-shm
.db-wal
.dacpac
. shutter
.lzma
.z
.tar.xz
.pam
.r3d
.Ova
.1c
.dt
。C
.vmx
.xhtml
.ckp
.db3
.dbc
.dbs
.dbt
.dbv
.frm
.mwb
.mrg
.tx
.mrg
.vbox
.wmf
.wim
.xtp2
.xsn
.xslt
Table 3. CryptNet-encrypted file extensions
Depending on the size of the file, ransomware encrypts some or all of the file's contents. If the file is smaller than 512 KB, CryptNet will encrypt the entire file. Otherwise, the code only encrypts the first 128 KB of data at the beginning, middle, and end of the file, as shown in Figure 5.
Figure 5. CryptNet encryption algorithm for large files
The symmetric encryption algorithm used in both cases is AES in CBC mode, and each file has a 32-byte pseudo-randomly generated key and a 16-byte initialization vector (IV). Each file's AES key is encrypted with a hard-coded 2048-bit RSA key. The ransomware stores the RSA key as an encrypted string in XML format using the RSA mechanism and Base64 exponent encoding, as shown below:
The RSA-encrypted AES key is then appended to the contents of the encrypted file.
Ransom request and final action
During the encryption process, CryptNet left a ransom message titled RESTORE-FILES-[9 random characters].txt, which contained the following text:
*** CRYPTNET RANSOMware ***
- what happened? —
All your files are encrypted and stolen. Stolen data about to become public
on our Tor site. Your data cannot be recovered and data breaches prevented without us
It cannot be decrypted without the private key. Don't waste your time and ours trying to recover your files.
This would not be possible without our help
— How to recover files and prevent data breaches? —
To make sure we can actually recover your data, we offer free decryption as a guarantee.
We promise you can safely recover all your files and prevent data breaches. We can do it!
- contact us-
Download Tor Browser - https://www.torproject.org/download/ and install
Open URL: http://cryptr3fmuv4di5uiczofjuypopr63x2gltlsvhur2ump4ebru2xd3yd.onion
Unesite Decryption ID: [Decryption ID]
CryptNet then changes the background image and terminates the following processes in Table 4.
SQLwriter
sqb core service
virtual machine virtual machine
sqlagent
browser
sqlservr
coding
reduce
zooz
proxy vc
firefox configuration
information release
synchronised time
VBoxSVC
tbird configuration
it's hot
Bat 64
isqlplussvc
my desktop service
mysqld
ocssd
notes
WeChat public account
my desktop qos
CNTAoSMgr
network scan
virtual player
Oracle
appearance
power supply
wps
xfssvccon
process hacker
dbeng50
dbsnmp
encsvc
Exceed
the list
PccNTMon
mysqld-nt
mysqld-opt
ocaautoupds
Ockham
access permission
msftesql
donna vogel
visual system
win word
writing board
tray
Table 4. Processes terminated by CryptNet
Additionally, if the ransomware runs with administrator privileges, CryptNet will stop the list of services shown in Table 5.
BackupExecAgentBrowser
vim
Veeam Deployment Service
PDVFS service
BackupExecVSSProvider4
Backup Execution Proxy Accelerator
Serve
AcrSch2Svc
Acronis-agent
Veeam.EndPoint.Service
CASAD2DWebSvc
CAARC update service
Youte
meme
software
DefWatch
event manager
roaming
Live TV Scan
QBFC service
Intuit.QuickBooks.FCS
Excellent backup
BackupExec RPC service
MSSQL server
fuse
GxVss
GxBlr
GxFWD
chemical vapor deposition
GxCIMgr
VeeamNFSSvc8
BackupExecDiveciMediaService
SQL browser
SQLAgent$VEEAMSQL2008R2
SQLAgent$VEEAMSQL2012
Veeam Deployment Service
BackupExecJobEngine
Veeam.EndPoint.Tray6
Backup Execution Management Service
SQL Agent $SQL_2008
zhudongfangyu
stc_sirov_agent
QBCF Monitoring Service
VeeamTransportSvc
VSNAPVSS$
Table 5. CryptNet stopped services
If the ransomware has administrative privileges, CryptNet also deletes Windows Shadow Volume Copies and then deletes the backup directory. Run the following commands to perform these operations:
vssadmin remove shadow /all /quiet and remove wmic shadowcopy
bcdedit /set {default} bootstatuspolicyignoreallfailures & bcdedit /set {default}recoveryenabled ne
Delete the wbadmin directory - silently
Victim portals and data breach sites
When a victim accesses the hidden Tor service mentioned in the ransom note, the login screen asks the user to enter a decryption ID and solve a captcha, as shown in Figure 6.
Figure 6. Victim’s CryptNet ransom portal
After entering the decryption ID, the victim will see a timer and an option to test file decryption, as shown in Figure 7.
Figure 7. CryptNet ransomware portal with test decryption
The portal also provides a chat feature to interact with the threat group and negotiate a ransom payment, as shown in Figure 8.
Figure 8. CryptNet live chat support
One automated chat message provided a link to a “blog” page where the CryptNet threat actor posted stolen data from compromised companies, as shown in Figure 9.
Figure 9. CryptNet data breach site
There Chaos/Jashma-Link
similarities
CryptNet apparently uses the same codebase as the Chaos and Yashma ransomware families, with many code similarities. For example, Figure 10 shows a comparison between the main encryption routines of CryptNet and Yashma, which have the same structure, checks, and control flow.
Figure 10. Comparison of the main encryption routines of Yashma (left) and CryptNet (right).
Excluded folders and files are also very similar, as are file extensions used for encryption (see Appendix).
Both ransomware families also stopped numerous backup services and ran the same commands to delete volume shadow copies, disable recovery mode, and delete backup directories, as shown in Figure 11.
Figure 11. Yashma (left) and CryptNet (right) commands to disable backups
difference
Compared to Yashma, CryptNet lacks some features, including lack of persistence and language/country restrictions. Also, CryptNet uses different file encryption techniques (based on size) and different concurrency methods. These differences may be due to a performance decrease in the time it takes to encrypt files. Yashma encrypts the entire content of all files (which can take a long time for larger files), while CryptNet fully encrypts only small files (< 512 KB) and small parts of larger files.
The concurrent implementations of CryptNet and Yashma are also different. The former uses Parallel.For to loop through each file, while CryptNet uses Tasks to process each directory, as shown in Figure 12.
Figure 12. Yashma (left) and CryptNet (right) concurrent implementations.
A task-parallel implementation may be better suited for file encryption operations.
diploma
CryptNet is a simple but effective ransomware that takes the popular Chaos and Yashma code bases and increases the efficiency of file encryption. The code is not particularly advanced, but the algorithm and implementation are cryptographically secure. They also claim to be running a two-pronged ransomware attack, following a growing trend indicated by more advanced threat groups.
Zscaler ThreatLabz continues to monitor this set of threats and add detections to protect our customers.
cloud sandbox
In addition to sandbox detection, Zscaler's multi-layer cloud security platform also detects indicators related to CryptNet at different layers, and the threat names are as follows:
Win32.Ransom.CryptNet variants
Indicator of Compromise (IOC)
SHA256
describe
2e37320ed43e99835caa1b851e963ebbf153f16cbe395f259bd2200d14c7b775
CryptNet - Ransomware
side dish
Yashma closed the folder
program files
Program Files (x86)
Windows
$ recycle bin
MSOC cache
Documentation and Settings
Intel
performance log
Windows.old
supermicro
Nvidia
program data
Yashma Exemption Document
App Data\\Local
Application Data\Local Low
users\\all users
\\program data
boot settings
bootfont.bin
boot settings
icon cache.db
ntuser.dat
ntuser.dat.log
user profile
thumb.db
Start automatically. information
bootect.bin
bootmgfw.efi
desktop. this
Yashma encryption extension
。TXT
. Kruger
. this
. touch
. it's time
.doc
.docx
.xls
.xlsx
.ppt
.pptx
.odt
.jpg
.mka
.mhtml
. or
.png
.csv
.py
.sql
.mdb
.php
.asp
.aspx
.html
.htm
.xml
.psd
.xla
. cub
.dae
.indd
。CS
.mp3
.mp4
.dwg
. shutter
.rar
.mov
.rtf file
.bmp file
.mkv
.avi
.apk
. shortcut
. return
.dic
diff file
.divx
.iso
.7zip
. as
.arj
.bz2
. taxi
.gzip
.lzh
.Tell
.jpeg
.xz
.mpeg
. torrent
.mpg file
. Kern
.pdb
.ico
. yes
。D b
.wmv
.swf file
.cer
.bak
.Backup
.accdb
. bay
.p7c
.exif
.vss
.roh
.m4a
.wma
.flv
. Then
. total
.bank
. wallet
.css
.js
.rb
.crt
.xlsm
.xlsb
.7z
.cpp
.Java
.jpe
. this
. get dirty
.wps file
.docm
.wav
.3gp
.webm
.m4v
.amv
.m4p
.svg
.ods
.bk
.vdi
.vmdk
.onepkg
.accde
.jsp
.json
.gif
. protocol
.gz
.config
.vb
.m1v
.sln
. PST
.obj
.xlam
.djvu
.inc
.cvs
.dbf
.tbi
.wpd
.period
.dotx
.xltx
.pptm
.potx
.potm
. pot
.xlw
.xps
.xsd
.xsf
.xsl
.kmz
.accdr
.stm
.accdt
.ppam
.pps
.ppsm
.1CD
.3ds
.3fr
.3g2
.accda
.accdc
.accdw
.adp
.ai
.ai3
.ai4
.ai5
.ai6
.ai7
.ai8
.rauh
.ascx
.asm
.asmx
.avs
. container
.cfm
.dbx
.dcm
.dcr
.Bild
.rgbe
.dwt
.f4v
.exr
...
.maks
.mda
.mde
.mdf file
.mdw
.mht
.mpv
. information
. sold out
.nef
.odc
.geo
. Quickly
.odm
.odp
. often
.orf
.pfx
.p12
.pl
.pls
. certainly
. Label
.vbs
.xlk
.xlm
.xlt
.xltm
.svgz
.slk
.tar.gz
.dmg
.p.s
.psb
.tif
.rss
. taste
.vob
.epsp
.dc3
.iff
.onepkg
.onetoc2
. choose
.p7b
.pam
.r3d
.anom
. exe
*** This is a blog in association with Blogger Safety NetworkBlog Category Feedwrotesantiago vincent.Read the original text:https://www.zscaler.com/blogs/security-research/technical-analysis-cryptnet-ransomware