CryptNet Ransomware

This report provides a technical analysis of the CryptNet ransomware: its NET Reactor obfuscation and custom string decryption, generation of a unique decryption ID, AES-CBC per-file encryption with RSA-2048-wrapped keys, targeted file extensions and exclusions, partial/full-file encryption behavior, and destructive post-encryption actions (killing processes/services, deleting shadow copies). It also describes the ransom note format, a Tor-based victim portal with test-decrypt and chat support, and a public data-leak blog used by the operators.