{ "id": "0e019aa7-66e1-4347-a169-7b1dbd27f1d8", "created_at": "2026-04-06T00:10:35.797127Z", "updated_at": "2026-04-10T03:21:00.403657Z", "deleted_at": null, "sha1_hash": "b4f9d82597254f1bba66906554a7b755c444ec87", "title": "CryptNET Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 572012, "plain_text": "CryptNET Ransomware\r\nPublished: 2023-04-20 ยท Archived: 2026-04-05 19:21:49 UTC\r\nOverview\r\nThis is a new .NET ransomware that was recently documented on Twitter by Zscaler ThreatLabz. This\r\nransomware has a leaks site at\r\nhttp[:]//blog6zw62uijolee7e6aqqnqaszs3ckr5iphzdzsazgrpvtqtjwqryid[.]onion/ and has atleast one victim.\r\nAccording to Zscaler the ransomware is also protected using .NET Reactor\r\nExample Ransom Note\r\n*** CRYPTNET RANSOMWARE ***\r\n--- What happened? ---\r\nAll of your files are encrypted and stolen. Stolen data will be published soon\r\non our tor website. There is no way to recover your data and prevent data leakage without us\r\nDecryption is not possible without private key. Don't waste your and our time to recover your files.\r\nIt is impossible without our help\r\n--- How to recover files \u0026 prevent leakage? ---\r\nTo make sure that we REALLY CAN recover your data - we offer FREE DECRYPTION for warranty.\r\nWe promise that you can recover all your files safely and prevent data leakage. We can do it!\r\n--- Contact Us---\r\nDownload Tor Browser - https://www.torproject.org/download/ and install it\r\nhttps://research.openanalysis.net/dotnet/cryptnet/ransomware/2023/04/20/cryptnet.html\r\nPage 1 of 3\n\nOpen website: http://cryptr3fmuv4di5uiczofjuypopr63x2gltlsvhur2ump4ebru2xd3yd.onion\r\nEnter DECRYPTION ID: xxxxxxxxxxxxxxxxxxxxxxxxxx\r\nSample\r\n2e37320ed43e99835caa1b851e963ebbf153f16cbe395f259bd2200d14c7b775 UnpacMe\r\nReferences\r\nNETReactorSlayer thanks washi for the tip : ))\r\nAnalysis\r\nFiles are encrypted with AES CBC using a generated 256 bit key and IV.\r\nThe generated AES keys are encrypted using a hard coded RSA key and appended to the encrypted files.\r\nRSA Key\r\n\"\u003cRSAKeyValue\u003e\u003cModulus\u003e8TO8tQQRyFqQ0VShtSpLkDqtDVsrxS8SfdOsqRAj8mWF7sVoGzyZMcv501DF6iZUdKYsFDlaSMnuckG9+MJmD2ld\r\nFile Extension Targets\r\n.myd .ndf .qry .sdb .sdf .tmd .tgz .lzo .txt .jar .dat .contact .settings .doc .docx .xls .xlsx .ppt .pptx .odt\r\nServices To Kill\r\nBackupExecAgentBrowser veeam VeeamDeploymentSvc PDVFSService BackupExecVSSProvider BackupExecAgentAccelerator v\r\nProcesses To Kill\r\nsqlwriter sqbcoreservice VirtualBoxVM sqlagent sqlbrowser sqlservr code steam zoolz agntsvc firefoxconfig infop\r\nShadow Copies Destroyed\r\nvssadmin delete shadows /all /quiet \u0026 wmic shadowcopy delete\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures \u0026 bcdedit /set {default} recoveryenabled no\r\nwbadmin delete catalog -quiet\r\nFiles Excluded From Encryption\r\nhttps://research.openanalysis.net/dotnet/cryptnet/ransomware/2023/04/20/cryptnet.html\r\nPage 2 of 3\n\niconcache.db\r\nautorun.inf\r\nthumbs.db\r\nboot.ini\r\nbootfont.bin\r\nntuser.ini\r\nbootmgr\r\nbootmgr.efi\r\nbootmgfw.efi\r\ndesktop.ini\r\nntuser.dat\r\nDirectories Excluded From Encryption\r\nwindows.old\r\nwindows.old.old\r\namd\r\nnvidia\r\nprogram files\r\nprogram files (x86)\r\nwindows\r\n$recycle.bin\r\ndocuments and settings\r\nintel\r\nperflogs\r\nprogramdata\r\nboot\r\ngames\r\nmsocach\r\nSource: https://research.openanalysis.net/dotnet/cryptnet/ransomware/2023/04/20/cryptnet.html\r\nhttps://research.openanalysis.net/dotnet/cryptnet/ransomware/2023/04/20/cryptnet.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://research.openanalysis.net/dotnet/cryptnet/ransomware/2023/04/20/cryptnet.html" ], "report_names": [ "cryptnet.html" ], "threat_actors": [], "ts_created_at": 1775434235, "ts_updated_at": 1775791260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b4f9d82597254f1bba66906554a7b755c444ec87.pdf", "text": "https://archive.orkl.eu/b4f9d82597254f1bba66906554a7b755c444ec87.txt", "img": "https://archive.orkl.eu/b4f9d82597254f1bba66906554a7b755c444ec87.jpg" } }