Cryptor[.]biz is a well-known crypting service in the cybercriminal underworld. Crypting, or disguising malware to appear benign, is a crucial process for cybercriminals who rely on disseminating malicious software. It involves altering the appearance and behavior of a malicious file to avoid detection by antivirus tools. While some cybercriminals handle crypting themselves, many outsource this task to trusted third parties like Cryptor[.]biz.
The demand for reliable crypting services has led to the emergence of numerous providers in the cybercrime industry. However, most of these services are short-lived and lack expertise. Cryptor[.]biz stands out as a reputable and trusted service provider. It is recommended by the creators of the RedLine and Vidar information stealer malware, which are widely used for data theft and ransomware attacks.
The identity of the person behind Cryptor[.]biz is shrouded in mystery. The registration records for the website are hidden, but clues found on the site suggest that potential customers can register by visiting the domain crypt[.]guru or by messaging “masscrypt@exploit.im” on Jabber. Passive DNS records for both cryptor[.]biz and crypt[.]guru indicate that these domains were forwarding incoming emails to the address “obelisk57@gmail.com.”
Investigations by cyber intelligence firm Intel 471 reveal that the email address “obelisk57@gmail.com” is associated with the user “Kerens.” This email address was used to register an account on the Blacksoftware forum. The Jabber address “masscrypt@exploit.im” has been linked to the user “Kerens” on the Russian hacking forum Exploit since 2011.
Further analysis of the login page for Cryptor[.]biz provides additional clues about the person running the service. In 2011, “Kerens” posted a negative review of a competing crypting service called VIP Crypt on the Exploit forum, criticizing its reliability. After this review, “Kerens” went silent on the forum for four years until suddenly advertising Cryptor[.]biz in October 2016. The email address “pepyak@gmail.com” was used by “Kerens” to register accounts on Russian language hacking forums Verified and Damagelab. The domain autodoska[.]biz, registered to “pepyak@gmail.com,” was associated with a person named Yuri Churnov from Sevastpol, Crimea.
“Kerens” also used the email address “unforgiven57@mail.ru,” which registered several domains, including antivirusxp09[.]com. Another email address, “spurtov@gmail.com,” was linked to domains like mobile-soft[.]su. A hacked customer record from CDEK, an express delivery company, revealed that “gumboldt@gmail.com” was associated with a customer named Sergey Yurievich Purtov.
Investigating the crypting space is crucial for cybersecurity researchers and law enforcement agencies, as top players in this field are typically experienced and connected malicious coders. Crypting services have direct contact with advanced malware authors, making them valuable sources of intelligence on new malware. Disrupting or infiltrating trusted crypting services can significantly impede the operations of cybercriminals.
The identity of the person behind Cryptor[.]biz remains unknown, and attempts to contact Sergey Yurievich Purtov, who is potentially tied to the service, have been unsuccessful. However, shedding light on these crypting services and their operators can aid in combating cybercrime and protecting individuals and organizations from malicious attacks.