New RaaS CryptNet Advertised for Double Extortion Attacks in Dark Web Forums

The CryptNet RaaS is a new threat being actively marketed to threat actors based on proven established ransomware tools.

Context

On May 16, 2023, ZScaler threat researchers reported the technical details of a new ransomware-as-a-service (RaaS) operation they’ve observed being advertised on dark web forums. ZScaler researchers provided the following key takeaways:

  • CryptNet is a new ransomware-as-a-service that has been advertised in underground forums since at least April 2023
  • The CryptNet threat group claims to perform double extortion attacks by combining data exfiltration with file encryption
  • The ransomware code is written in the .NET programming language
  • CryptNet uses 256-bit AES in CBC mode and 2048-bit RSA to encrypt files
  • The CryptNet ransomware codebase is closely related to Chaos ransomware

Technical Details

According to the report:

  • The Cryptnet sample used the Eziriz .NET Reactor tool for obfuscation, which allows threat actors to “remove the control flow and symbols obfuscation layers, but the ransomware’s important strings remain obfuscated in a resource section, which is encrypted using a custom algorithm”
  • The first action the ransomware takes is to generate a decryption ID for the ransom note, which “is composed of two hardcoded characters followed by 28 pseudorandom characters followed by two more hardcoded characters”

The encryption sequence is:

  1. CryptNet will first loop through all directories for multiple drive letters
  2. CryptNet will encrypt all files that match preset extensions (which includes most commonly used file extensions). According to the report, “depending on the file size, the ransomware will encrypt parts of the file or the full file content”
  3. The RSA encrypted AES key is then prepended to the encrypted file content
  4. During the encryption process, CryptNet will drop a ransom note

ZScaler researchers also reported similarities between CryptNet and the Yashma and Chaos ransomware strains, including shared codebase and similar excluded file types and folders.

IOCs

ZScaler researchers provided the following indicators of compromise (IOCs):

Indicator

Type

Notes

2e37320ed43e99835caa1b851e963ebbf153f16c
be395f259bd2200d14c7b775

SHA256

CryptNet Ransomware

More Recent Blog Posts