A novel ransomware dubbed “ARCrypter” has begun expanding its operations worldwide. The ransomware was first identified by Chile’s National Computer Security and Incident Response Team in August when it was found in an attack on a Chilean government entity. The ransomware was assessed to be a new ransomware family. Now, researchers at BlackBerry have confirmed that this family has been tied to a second attack against the Colombia National Food and Drug Surveillance Institute as well as expanding operations to target various entities in the United States, Canada, Germany, France, and China. The ransom demands fluctuate, with some ransoms being as low as $5,000.
The initial attack vector in campaigns where this ransomware has been used remain unknown. However, the researchers at BlackBerry identified two “AnonFiles” URLs that are uses to fetch a “win.zip” archive containing a “win.exe”. When executed, the file drops a BIN and HTML resource. The HTML contains the ransom note data while the BIN file contains data encrypted with a password that, when provided, creates a random directory to store the second-stage payload, which is assessed with a high degree of certainty to be the ARCypter ransomware. The ransomware then creates persistence by adding the following registry key:
Following this, the malware deletes all shadow volume copies, modifies network setting and encrypts the majority of files on the victim host, skipping over critical directories such as “Boot” and “Windows”. All files are renamed with the “.crypt” extension and show the messages “ALL YOUR FILES HAS BEEN ENCYPTED” within the “date” field – this was done through a modification to the following registry keys:
- HKLM\SYSTEM\ControlSet001\Control\CommonGlobUserSettings\Control Panel\International\sShortDate
- HKCU\Control Panel\International\sShortDate
While claiming to steal data in these attacks, the ransomware operation does not currently have a data leak site. Little is known in regards to the operations origin, language, or links to other ransomware operations.