A novel ransomware dubbed “ARCrypter” has begun expanding its operations worldwide. The ransomware was first identified by Chile’s National Computer Security and Incident Response Team in August when it was found in an attack on a Chilean government entity. The ransomware was assessed to be a new ransomware family. Now, researchers at BlackBerry have confirmed that this family has been tied to a second attack against the Colombia National Food and Drug Surveillance Institute as well as expanding operations to target various entities in the United States, Canada, Germany, France, and China. The ransom demands fluctuate, with some ransoms being as low as $5,000.
The initial attack vector in campaigns where this ransomware has been used remain unknown. However, the researchers at BlackBerry identified two “AnonFiles” URLs that are uses to fetch a “win.zip” archive containing a “win.exe”. When executed, the file drops a BIN and HTML resource. The HTML contains the ransom note data while the BIN file contains data encrypted with a password that, when provided, creates a random directory to store the second-stage payload, which is assessed with a high degree of certainty to be the ARCypter ransomware. The ransomware then creates persistence by adding the following registry key:
Following this, the malware deletes all shadow volume copies, modifies network setting and encrypts the majority of files on the victim host, skipping over critical directories such as “Boot” and “Windows”. All files are renamed with the “.crypt” extension and show the messages “ALL YOUR FILES HAS BEEN ENCYPTED” within the “date” field – this was done through a modification to the following registry keys:
- HKLMSYSTEMControlSet001ControlCommonGlobUserSettingsControl PanelInternationalsShortDate
- HKCUControl PanelInternationalsShortDate
While claiming to steal data in these attacks, the ransomware operation does not currently have a data leak site. Little is known in regards to the operations origin, language, or links to other ransomware operations.
As time goes one, more and more novel ransomware families are surfacing, each with a variety of their own tactics. While this is a new family of ransomware, the techniques used by this ransomware are relatively standard. Numerous detection capabilities around this ransomware exist, many of which are likely already employed by organizations. For one, many organizations already employ queries to detect the “.crypt” file extension. Other detection capabilities around this ransomware include monitoring value additions to the “Run” registry key as well as to the two “sShortDate” registry keys. Additionally, it may be beneficial to monitor DNS requests to AnonFiles as well, as files hosted on this site are often malicious.