A new undocumented malware named ARCrypter, which operates as a mid-tier ransomware is now expanding its attacks worldwide. Since early August, it is targeting various organizations across the globe, including China, Canada, France, Germany, and the U.S.
The latest discovery
BlackBerry researchers discovered that the attackers used two AnonFiles URLs as remote resources for fetching a password-protected zip archive containing an executable dropper file. - The executable file contains a resource BIN that holds the encrypted data (locked with a password) and an HTML file that holds the ransom note. Once the password is provided, BIN will create a random directory on the compromised device to store ARCrypter as the second-stage payload.
- The ARCrypter payload adds a registry key for persistence and quietly deletes all Shadow Volume Copies to prevent easy data restoration. It further modifies network settings to secure stable connectivity and then encrypts all files except for some predefined file types (such as .dll, .ini, and more) and critical locations to avoid rendering the system completely unusable.
- The malware appends ‘.crypt’ extension to encrypted files and these infected files show an ‘ALL YOUR FILES HAS BEEN ENCRYPTED’ message on the file manager.
The ransomware operation steals data during attacks, however, it does not have a data leak site currently for publishing data for unpaid victims. The ransom demands vary and get as low as $5,000 in some cases.
Previous campaigns
Previously, ARCrypter had only targeted key institutions in South America.
- In September, CSIRT Chile reported that some malware (later detected as ARCrypter) launched an attack targeting Microsoft and VMware ESXi servers operated by a government agency in Chile in August.
- In October, it targeted the Colombia National Food and Drug Surveillance Institute (Invima), which led to a temporary shutdown of the organization's web services.
Conclusion
ARCrypter’s origin and language are unknown, and no potential links have been found with other ransomware families so far. Despite this, it has showcased its capabilities and its expansion indicates that its operators are very much capable of launching attacks with wide-reaching effects. Regardless of the name and type of ransomware, users are recommended to back up data in advance and employ proper security software to significantly reduce the intensity of an attack.