Researchers at Cyble Research and Intelligence Labs (CRIL) have found a new form of ransomware variant called the ARCrypter AKA ChileLocker. The ARCrypt ransomware was first observed in August 2022 and targeted organizations globally.
Unlike standard operations used by threat actors — using a leak site to release the stolen data, the hackers behind ARCrypter ransomware drifted away from this method.
The hacker group was also involved in various attacks, especially targeting Windows and Linux operating systems using the ARCrypter ransomware.
Over the years, the ARCrypter ransomware has continued to evolve. Earlier in 2023, researchers uncovered a new Linux variant of ARCrypter, created using the GO programming language.
Researchers from CRIL also discovered a revised version of the ARCrypt Windows executable, which was previously observed in the wild. According to the Cyble report, this particular version of ARCrypt ransomware has been active for around 2-3 months.
Understanding the evolving nature of ARCrypt ransomware
The updated version of ARCrypt ransomware diverges from its predecessor in several ways.
Unlike before, where a single chat site on Tor was used for all victims, the new variant employs multiple binaries, each with its ransom note pointing to a mirror site. The threat actor (TA) goes further by creating dedicated chat sites on Tor for each victim.
In one case, the TA instructed victims to reach out via TOX using a specific username. Interestingly, the TA also offered a discount to a victim who paid the ransom in cryptocurrency called Monero. Additionally, the ARCrypt ransomware now uses the “.crYpt” extension and features an updated ransom note.
The analysis of multiple ARCrypt ransomware binaries has revealed interesting findings about its communication methods and execution. Unlike its older variant, the updated version directs victims to different Tor sites, known as mirror sites, for communication.
Each victim receives specific login credentials associated with the Tor site mentioned in their ransom note, indicating that the threat actor creates dedicated sites for each victim. When executed, the ransomware copies itself to the %TEMP% directory with a random alphanumeric filename.
It terminates processes and turns off anti-malware, backup, and recovery services, suggesting a focus on targeting servers. The ransomware also terminates certain Endpoint Detection and Response (EDR) solutions to avoid detection.
Is ARCrypt ransomware the same strain from 2022?
ARCrypt ransomware has been adapting to new techniques, and its users have leveraged new techniques to hinder detection. Though the ransomware has been updated, it is still based on the same programming language as before.
In terms of artifacts, the ARCrypt ransomware utilizes the RegCreateKeyA API to access registry keys under HKEY_LOCAL_MACHINE.
It uses the RegSetValueExA API to set values for specific keys, including “legalnoticecaption” and “legal notice text” in the key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.”
The updated ARCrypt ransomware employs multiple communication sites, individualized login credentials, and targeted attack techniques.
It utilizes resource-intensive encryption processes, terminates processes and services, and uses registry keys to establish persistence on infected systems.
The updated variant of ARCrypt ransomware introduces a new ransom note that differs significantly from the older version. The TA behind the ransomware is trying to evade detection and maintain anonymity. Changes include:
- Updating the ransomware binary.
- Incentivizing payments in Monero.
- Avoiding extortion through leak sites.
- Creating separate communication channels for each victim.
These adaptations suggest that the attacker is actively refining their tactics to reduce the risk of exposure. By implementing these measures, the threat actor aims to enhance their level of anonymity and increase the success of their ransomware operations.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.