Much like in traditional business sectors, cybercriminals rely on a variety of services and products they need to purchase to carry out their illegal operations. Cybercriminal schemes frequently rely on the distribution of malware to computers, which provides a foothold that can be abused for data theft, ransomware and more. Malware crypting services — known as “crypters” — play a crucial role in this context. These software programs are designed to encrypt, obfuscate and manipulate malware to ensure it can bypass security software and controls. Crypters are particularly favored by operators of ransomware, information stealers (infostealers) and remote access trojans (RATs), and these services are a critical part of the cybercrime-as-a-service economy.
Malware crypting is a complex and time-consuming process, therefore, most serious threat actors opt to outsource this critical function to selected trusted third parties. Choosing the right third party for the task can be challenging due to the plethora of advertisements across multiple marketplaces, which seek to tap into the high demand for reliable crypting services. However, as with any service in the underground market, only a few providers manage to establish reputable standings. Moving forward, we anticipate the demand for crypting services will rise and the number of threat actors who try to distinguish themselves in this market will increase.
This blog post is an abridged version of a report that contains sensitive information about threat actors in this underground market sector. For the full report, which is part of our Adversary Intelligence offering, please contact Intel 471.
Malware Crypting Dictionary
Crypters primarily are categorized by how they modify malware to evade detection, which includes:
Static crypters: Encrypt the malware once, and the encrypted form remains the same with each distribution. They are easier to detect than other types because once the encryption method is identified, antivirus programs can adapt to recognize it.
Polymorphic crypters: Modify the encryption or the encryption algorithm each time the malware is distributed, creating a unique version for each instance. This makes them more difficult to detect than static crypters since each instance appears different to antivirus systems.
Metamorphic crypters: Change not only the encryption, but also the underlying code of the malware between distributions, making this malware extremely difficult to detect through conventional means. Metamorphic crypters are the rarest type and almost never are advertised in the underground market.
Scantime and Runtime Evasion
These terms describe when the encryption or obfuscation of malware is effective in evading detection by security systems:
Scantime crypters: Encrypt or obfuscate malware to evade detection during the initial scanning process, typically conducted by antivirus programs when a file is created, modified, downloaded or executed.
Runtime crypters: Protect malware from detection while it already is running on a host system. Runtime crypters often involve more complex mechanisms, such as injecting malicious code into running processes or rewriting code during execution to avoid detection by behavior monitoring tools. The stub, a crucial component of a malware crypter, orchestrates these mechanisms. It manages the encryption and decryption of the malware's code to minimize exposure and adjusts tactics based on real-time surveillance of security activities.
Stub and Fully Undetectable
The stub is responsible for decrypting the encrypted payload of the malware once it is executed on the target system. It contains the necessary decryption algorithm and keys needed to unlock the obfuscated code. After decrypting the payload, the stub subsequently executes the malware and initiates its malicious activities on the host machine.
Fully undetectable (FUD) refers to a crypter's capability to make malware completely undetectable by antivirus software. Threat actors often liberally use this term to attract more potential clients even if it isn’t accurate.
Crypter Landscape
Free Crypters in Open Source and Underground
A wide array of tools, including malware crypters, are readily accessible online.
Open source crypters can be an appealing option for threat actors — especially those with limited budgets or newcomers to cybercrime. These tools can be easily customized and provide a valuable learning and experimentation opportunity for those interested in building their own software in the future. However, the accessibility of these tools also means they likely are well known to security researchers and vendors. Consequently, their signatures and heuristics are more widely implemented in antivirus and anti-malware products, which potentially diminishes their effectiveness. Therefore, more sophisticated threat actors may still opt for proprietary or custom-built crypters for high-stakes operations to minimize detection risks.
A search for “crypter” on the GitHub software development platform yields more than 100 different variations of publicly available crypters and illustrates the ease with which users can access these potentially malicious tools.
Some of these crypters are labeled for “educational or research purposes only,” yet their accessibility does not necessarily deter malicious use. One such example is Xencrypt by the user Xentropy aka Sam Anttila, which demonstrates how to create a crypter. Anttila, who is an information security engineer at Google, also offers a tutorial on writing crypters.
Underground forums are another source for actors to find free malware crypters. For example, in March 2018, the actor Lexus™ aka Cyaxares007 offered free access to the Cassandra Protector malware crypter on the Hack Forums underground forum with a premium version available for an additional cost. However, the thread became inactive a few months later. On March 28, 2023, the actor KuroCracks offered access to the same project on the Cracked forum. Both threads attracted dozens of interested users, likely due to the availability at no cost.
Additionally, we observed a variety of posts on underground forums where users publicly shared links to crypters available on GitHub. For instance, on Oct. 24, 2022, the actor Xelum shared a link to Lime Crypter and dozens of users thanked the author for the share. On May 20, 2024, the actor FloodIt shared a link to the actor’s Python crypter PyCrypter, which also is available on GitHub. Multiple users reacted positively and left favorable reviews, with the most recent review dated June 26, 2024.
Private Crypters and Malware Crypting as a Service
Most actors prefer to sell their crypters for a profit. We have observed dozens of malware crypters advertised in the underground over the years. However, only a few remain operational.
Sampling of Malware Crypters
(Note: This list is not exhaustive but encompasses some crypters advertised in 2024 and prior.)
Crypter name, forum advertised on, developer | Encryption type | Support | FUD, Bypass claims | Price (USD) |
No specific name Forum: Cracked Developer: 0xcrypted | Polymorphic | .NET files compatible with x64 and x86 architectures | Microsoft SmartScreen, Microsoft Defender (cloud + runtime) browser alerts (Chrome direct download of an .exe file) | $100/file; $700/week; $2,500/month |
No specific name Forum: Exploit Developer: memory_lost | Polymorphic | Native 32-bit and 64-bit dynamic link library (.dll) and executable files (.exe) files | Bypassing SmartScreen | $100/crypt; $5,000/month |
Horus Protector Forum: Cracked Developers: Old_Deep and Horus Protector | Polymorphic | .NET files compatible with x64 and x86 architectures | Evading runtime detection | Unknown |
DeathCrypter Forum: Hack Forums Developer: DeathDealer | Polymorphic | .NET payloads with x32 and x64 architectures | Evading scantime detection, Bypassing Windows Defender at runtime, AMSI | $250/month unlimited |
Private Protector Forum: Exploit Developer: ImComplexed | Polymorphic | .NET files compatible with x32 and x64 architectures | UAC bypass for Windows 10, very long FUD time, anti-memory dump | $1,000/single crypt; $2,500/month, one stub at time; $6,000/month, two stubs at a time |
VIP Crypt Forum: Exploit Developer: mrlapis | Polymorphic | 84-bit .exe and .dll files | AVG, Avast, Emsisoft, Ikarus in runtime; Windows Defender FUD | $500/week |
ASMCrypt Forum: Exploit Developer: o1oo1 | Polymorphic | .NET files compatible with x64 and x86 architectures | Very long FUD time, bypassing Windows Defender, cloud in scantime, runtime, bypassing SmartScreen, Google Chrome | $3,0000/month |
EchoCrypt Forum: Cracked Developer: N1k7 | N/A | N/A | Encrypts .exe files with conversion to .dll, claimed evasion of Microsoft Defender, Kaspersky, AVAST, Tencent, 360 Total Security and other AV engines and EDRs | 1 x .exe crypting: $20 1 x .dll crypting: $40 .exe to .dll conversion included |
Cryptli Forums: Exploit, XSS Developer: cryptl1 | N/A | N/A | Crypts .exe files, claimed bypass of Microsoft Defender, Google Chrome, cloud-based solutions | Standard: $30 Unique: $60 Private: $100 Trusted FTP domain: $20 |
Rust Crypt Forum: RAMP Developer: wockstar | Metamorphic | .NET files | FUD at scantime, four of 21 detections at runtime, claimed detection by BitDefender, Comodo, ESET, Kaspersky | N/A |
Among the malware crypting services advertised prior to 2024, the following sections highlight those the actors ImComplexed, memory_lost, mrlapis and o1oo1 provided.
On July 10, 2020, ImComplexed posted on the Exploit forum to promote the actor’s malware crypting service Private Protector. The actor claimed, “We are here to offer the best crypter in the market. If you are looking for professional service, well-maintained crypter, and best Scantime/Runtime results you can get, then you’re in the right place.” The actor’s crypting tool supports Windows .exe files for both x64 and x86 architectures, as well as Advanced Reduced Instruction Set Computer (RISC) Machine (ARM) architecture files. The actor offers four options for a one-month subscription to the service. All packages allegedly include unrestricted code obfuscation and the number of subscribers is limited.
Since its launch in 2020, a large number of underground actors have favored the Private Protector malware crypting service, including malware-as-a-service (MaaS) providers, trojan operators and ransomware actors associated with the Conti, Egregor, Mount Locker, Quantum and Hive groups. The actor regularly posts updates to the crypter, with the most recent activity July 12, 2024. The actor's underground activity is limited to a single thread promoting the crypter.
Malware Crypting by memory_lost
The actor memory_lost aka CrackingCore, donovanranda, galenkane, hhuyys, Muricélago, Matthew_Haig, Orland99, ozrior, salsa20, ГоловаРукиЖивот operated a malware crypting service from Jan. 23, 2021, until the individual’s apprehension in June 2024. The actor charged US $100 per encrypted file — significantly more than the average market price. The service supported native 32-bit and 64-bit .dll and .exe files. Additionally, the actor offered to rent out automated file encryption for US $5,000 per month and delivered encrypted files to customers via file transfer protocol (FTP).
The actor allegedly encrypted multiple ransomware variants for customers in the past. On Oct. 10, 2021, the actor claimed to have successfully encrypted BlackMatter, Conti, LockBit and REvil ransomware builds. The actor occasionally provided technical support to the actor psevdo, who we reported was the coder behind the SystemBC malware, which was recently targeted in a large law enforcement action led by the European Union Agency for Law Enforcement Cooperation (Europol). Several public disputes claimed memory_lost used multiple publicly available software engines to provide the crypting service and likely modified them to remain operational.
On June 12, 2024, the Cyber Police of Ukraine released a statement that confirmed the apprehension of a Ukrainian individual who allegedly provided a malware crypting service using the handle memory_lost on hacker forums.
Assessment
Like many products and services available in the underground, malware crypting services are a crucial aspect of the cybercriminal landscape. The extensive use of crypters in the cybercrime ecosystem underscores the ongoing advancements in security technologies, continually driving demand for these tools. However, the market for encryption services remains intensely competitive and shrouded in secrecy.
Our review of newly advertised services in 2024 shows there is no sign of a decline in the volume of offers within the underground market. While some advertisements fail to attract attention, others successfully carve out a niche and position themselves for future client acquisition. Our analysis revealed some actors promote their offers under multiple aliases to increase visibility. Additionally, we observed numerous instances of competition among these actors, with some employing negative commentary to tarnish the reputations of competitors. Maintaining a positive reputation is crucial for sellers who wish to remain in business over the long term.
Reflecting further on trends observed prior to 2024, an examination of these services revealed the activities of numerous leading malware encryption providers. Some of these providers have been active in the industry for years, catering to well-known figures in the underground. These services vary not only in the sophistication of their products, but also in their pricing, with some providers charging thousands of dollars per month. Despite the high costs, these services remain in strong demand — particularly among the most infamous malware operators. We also observed many top-tier encryption providers are cautious and limit their underground activities to discussions about their services.
We assess with high confidence the cybercrime market related to crypter activity will continue to expand in the coming years and likely see both an increase in the number of service providers and a surge in customer demand.