ARCrypter ransomware, also known as ARCrypt, has evolved since 2022 to target Windows and Linux and now uses a Go-based Linux variant. Threat actors rely on victim-specific Tor mirror sites and TOX messaging, while favoring Monero for payments to preserve anonymity and avoid public leak sites. #ARCrypter #ARCrypt #ChileLocker #Monero #Tor #TOX #Go #Linux
Keypoints
- ARCrypt/ARCrypter expanded from Chile to worldwide targets and added a Linux GO variant.
- Threat actors create dedicated Tor chat sites and mirror Tor sites for each victim, sometimes guiding victims via TOX profiles.
- Ransom payments in Monero may include discounts to complicate transaction tracing.
- New variant renames encrypted files with “.crYpt” and introduces a new ransom note compared to the older “.crypt” extension.
- The malware self-deletes its original binary and moves to a random 6-character name in %TEMP% to run.
- It can terminate processes and disable anti-malware, backup, and recovery services, signaling potential server-focused targeting.
- It modifies the Windows registry to display a startup ransom message via legalnoticecaption/legalnoticetext.
MITRE Techniques
- [T1204] User Execution – The ransom note of each binary directed victims to different Tor sites for communication. “The ransom note of each binary directed victims to different Tor sites for communication.”
- [T1547.001] Registry Run Keys / Startup Folder – The ransomware uses RegCreateKeyA to open registry keys and RegSetValueExA to set values for startup. “It modifies this registry key to show a message during system startup.”
- [T1622] Debugger Evasion – Debugger Evasion Indicator Removal – The analysis mentions “Debugger Evasion Indicator Removal” as part of defense evasion. “Debugger Evasion Indicator Removal.”
- [T1070] Indicator Removal on Host – It deletes the original ransomware binary after execution. “cmd /c DEL “%SAMPLEPATH%””
- [T1057] Process Discovery – It terminates a list of processes to free up resources. “The ransomware terminates the following processes.”
- [T1082] System Information Discovery – The activity is evidenced by the process tree and system visibility. “The figure below shows the process tree.”
- [T1083] File and Directory Discovery – File details and encrypted files are referenced in the artifacts. “Figure 5 – File Details”
- [T1486] Data Encrypted for Impact – The core impact shown by encryption and ransom text. “ALL YOUR FILES HAS BEEN ENCRYPTED!”
- [T1489] Service Stop – Termination of processes and disabling of services including anti-malware/backup. “terminate processes and disable specific services, including those related to anti-malware, backup, and recovery.”
- [T1490] Inhibit System Recovery – The attacker actions imply hindering recovery options. “Inhibit System Recovery.”
Indicators of Compromise
- [MD5] ARCrypt Executable – 9b80a70be01700866a667085aad93b5a, 7df9c7e23c2a1f8d3d87cd2460bb275c
- [SHA-1] ARCrypt Executable – 0408d6208440ef3caf7078361897f47c911de543, b589fccc88bd05df102b7584c356fce21be1de58
- [SHA-256] ARCrypt Executable – a933ebeb8bec26881b2d191f5034b7d6cacbb8d2cc06eeb7327f752fd0fab24d, 94e227ad918034ae9b569a380a5e6c8928428862236395e3357a085b03f25fef