Researchers warning: ARCrypter ransomware is spreading worldwide
by Tina Siering
What is currently known about the new ARCrypter ransomware?
The new ARCrypter ransomware first appeared in August 2022, when hackers attacked a government agency in Chile, compromising both Linux and Windows systems. The malware encrypted the organization's data and added the extension ".crypt" to the file names.
At the time, Chilean threat analyst Germán Fernández said the ARCrypter ransomware strain appeared to be completely new and unrelated to any known ransomware family. Researchers from Canadian software vendor Blackberry confirmed this statement in a recent report, linking the ransomware to a second attack - a cyberattack on the Colombian Institute for Food and Drug Control (Invima) in October 2022. Since the string "ARC" was found in all samples analyzed, Blackberry researchers summarily named the ransomware variant "ARCrypter."
Blackberry warned that the actors behind ARCrypter will spread their activities to countries outside Latin America and target organizations around the world - such as in China and Canada. Technology news platform Bleeping Computer confirmed this expansion and sees more ARCrypter victims in Germany, France and the US. The ransom demands vary and in some cases are as low as $5,000, so ARCrypter can be considered a medium-sized ransomware actor.
How the new ARCrypter ransomware works
After analyzing samples from the first ARCrypter attack, Blackberry security researchers found out something surprising: While victims of other ransomware variants are usually confronted with a ransom demand only after file encryption, in the case of a compromise with ARCrypter, they receive the ransom demand even before encryption. This approach is highly unusual, as it carries the risk of exposing the encryption process. The message with the ransom demand and the credentials for the attackers' login page is contained in a text file called "readme_for_unlock.txt". After delivering the ransomware, the dropper proceeds to place two batch scripts and the Main Payload Encrypter.
During their investigation, the security researchers discovered two AnonFiles URLs that allow downloading "win.exe" and "win.zip". The "win.zip" file is a password-protected archive that contains the "win.exe" file - a dropper file. It is important to note that AnonFiles offers anonymous file upload, where the attacker's IP address is hidden. This method of file distribution is preferred by many threat actors. However, it is unclear whether this particular method was used by the cybercriminals behind ARCrypter or another actor.
First stage: Dropper
Upon a more in-depth analysis of the dropper file "win.exe", the researchers found that it contains two interesting resources: BIN and HTML. While the HTML resource stores the content of the ransomware, the BIN resource contains the encrypted data. To decrypt the BIN resource, the dropper expects an argument "-p" followed by a password.
Once the password is provided, the dropper proceeds by creating a random directory. The purpose of this newly created directory is to store the second stage payload of alphanumeric characters. This second payload is most likely the ARCrypter ransomware.
To delete the dropper, two bat files are created. The first bat file terminates the dropper process, overwrites the original file and executes the second bat file. The second bat file removes the first bat file from the system and remains.
Second stage: Payload
After execution, the malware continues to build persistence by activating the reg.exe process, adding the registry key with the value of the path to the malware. Moreover, it modifies two registry keys that are used to display the date. Finally, it deletes all volume shadow copies unnoticed.
Since ARCrypter also targets all network drives within the system, the malware uses a command to make sure that they remain connected during the downtime. While ARCrypter ransomware encrypts most of the widely used file types, it avoids encrypting files in certain critical locations of the target system to prevent system failures.
Protection against ARCrypter ransomware
1. Endpoint protection
Endpoints such as laptops, smartphones and workstations are particularly popular targets for cybercriminals. Therefore, it is advisable to protect endpoints with an Endpoint Protection Platform (EPP). EPP solutions block known file-based malware at the point of entry and provide preemptive threat protection using built-in security mechanisms as well as signature-based malware defenses.
2. Managed detection and response (MDR) solution.
However, if cybercriminals have successfully planted and activated malware on a network, a managed detection and response (MDR) solution such as Allgeier secion's Active Cyber Defense (ACD) service can help. By proactively and continuously scanning the corporate network for potential attack activity, MDR solutions can detect malicious command-and-control server (C2) communications early on, if necessary. If your system has been compromised, Allgeier secion's ACD team will inform you immediately if action is required, so that countermeasures can be taken in time to prevent damage.
The 24/7 service monitors all systems in your network - not only desktops, servers and workstations, but also notebooks, mobile devices as well as printers, IoT, ICS and BYOD. No installation of agents on clients is required to use the ACD service. Instead, a network-level check takes place to see if your systems are communicating to C2 servers, for example.
3. Incident Response (IR) Readiness
A comprehensive incident response readiness strategy prepares you optimally for an emergency. Should the worst case scenario occur, IR readiness gives you the necessary resources and competencies to manage a security incident with confidence. A defense strategy tailored to your company puts you in a position to identify signs of a cyber attack early on and respond to them quickly. Allgeier secion's cyber security consultants review your existing IR readiness strategy and help you provide the necessary tools to easily manage a security incident.
Recent analysis proves: The new ARCrypter ransomware poses an additional security threat worldwide. German organizations must also fear becoming targets of the attackers. Anyone who wants to protect themselves from data encryption and ransomware should start thinking about a comprehensive cyber security strategy now.
Effective cyber threat hunting tools play an important role in this process, enabling proactive hunting of cyber criminals and tracking down compromised systems. A managed detection and response (MDR) solution such as Allgeier secion's Active Cyber Defense (ACD) service helps detect attack activity that established protection tools would not. Experienced IT security analysts monitor your IT infrastructure 24/7, suspicious cases are immediately unmasked and reported to your IT team if action is required. If you are then able to initiate appropriate incident response measures in good time, you have as good as won the race against the attackers.