A new form of ransomware called ARCrypter AKA ChileLocker has been discovered by researchers at Cyble Research and Intelligence Labs (CRIL). This variant of ransomware has been actively targeting organizations worldwide since August 2022. What sets ARCrypter apart from other ransomware attacks is its unique approach. Instead of using a leak site to release stolen data, the hackers behind ARCrypter have taken a different route.
The hacker group responsible for ARCrypter has mainly focused on targeting Windows and Linux operating systems. Throughout 2022 and the first half of 2023, the ARCrypter ransomware has been constantly evolving. Recently, CRIL researchers identified a new Linux variant of ARCrypter developed using the GO programming language. Additionally, they discovered an updated version of the ARCrypt Windows executable that had been circulating in the wild for around 2-3 months.
One of the ways in which ARCrypter has evolved is in its communication methods. The updated version of the ransomware now utilizes multiple binaries, each with its own ransom note pointing to a mirror site. Furthermore, the threat actor behind ARCrypter has created dedicated chat sites on Tor for each victim, rather than using a single chat site for all victims. In some cases, victims were instructed to reach out via TOX using a specific username. The threat actor also offered a discount to victims who paid the ransom in the cryptocurrency Monero.
The analysis of multiple ARCrypter ransomware binaries has provided insights into its communication methods and execution. Unlike earlier versions, the updated variant directs victims to different Tor sites, known as mirror sites, for communication. Each victim receives specific login credentials associated with the Tor site mentioned in their ransom note, indicating that the threat actor creates dedicated sites for each victim. When executed, the ransomware copies itself to the %TEMP% directory with a random alphanumeric filename.
Apart from its communication methods, the ARCrypter ransomware also exhibits specific behaviors that differentiate it from previous versions. It terminates processes and turns off anti-malware, backup, and recovery services, suggesting a focus on targeting servers. Additionally, the ransomware terminates certain Endpoint Detection and Response (EDR) solutions to avoid detection.
While ARCrypter has undergone several updates, it still remains based on the same programming language as before. It utilizes the RegCreateKeyA API to access registry keys under HKEY_LOCAL_MACHINE and the RegSetValueExA API to set values for specific keys, including “legalnoticecaption” and “legal notice text” in the key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.”
The updated variant of ARCrypter ransomware introduces a new ransom note that differs significantly from the older version. The threat actor behind ARCrypter is actively trying to evade detection and maintain anonymity by implementing various changes, such as updating the ransomware binary, incentivizing payments in Monero, avoiding extortion through leak sites, and creating separate communication channels for each victim.
These adaptations indicate that the attacker is continuously refining their tactics to reduce the risk of exposure. By implementing these measures, the threat actor aims to enhance their level of anonymity and increase the success of their ransomware operations.
It is important to note that this report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users are solely responsible for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.