ARCrypter is a previously unknown ransomware family that emerged in Latin America (notably Chile, with Invima involvement) and has expanded to victims in China and Canada, featuring a two-stage dropper and payload and a ransom note delivered before encryption. BlackBerry’s threat research provides IoCs, MITRE ATT&CK mappings, weaponization details, and indicators to help defenders detect this campaign.
Keypoints
- ARCrypter is a newly identified ransomware family that began targeting Latin American institutions (including Chile’s government systems) in Aug 2022 and is now seen globally, including China and Canada.
- The campaign includes a two-stage delivery: a dropper (win.exe) that drops a second-stage payload (3.exe) after storing a ransom note in an HTML resource.
- The dropper is distributed via AnonFiles as a password-protected archive (win.zip) containing win.exe; the dropper creates a random directory under common temp locations to stage the second stage.
- The second stage payload persists by using registry keys and includes cleanup logic with two BAT files to terminate/delete the dropper and remove traces.
- ARCrypter decrypts and encrypts files with a whitelisted extension and location policy, including disabling shadow copies and preserving network drives during downtime; the ransom note is saved to a temp path and references a threat actor-controlled panel on Tor.
- The campaign provides IoCs (hashes and file paths) and a detailed MITRE ATT&CK mapping, but there is no attribution to a known threat actor yet.
- Early indicators point to a broader geographical expansion beyond LatAm, with victims appearing in China and Canada based on VT submissions and file timelines.
MITRE Techniques
- [T1091] Replication Through Removable Media – The attack vector is unknown, but the ATT&CK mapping is provided; as noted, “The attack vector of the infection is unknown.”
- [T1059] Command and Scripting Interpreter – The second-stage payload and related actions imply command-based execution flows, e.g., using command steps during operation.
Quote: “The malware proceeds in establishing persistence by invoking the reg.exe process.” - [T1547.001] Registry Run Keys / Startup Folder – Persistence via registry Run Keys, with a key created to run the malware: “The registry key “HKLMSoftwareMicrosoftWindowsCurrentVersionRunSecurityUpdate” with value of path to the malware.”
- [T1112] Modify Registry – The malware modifies registry keys to impact how data is shown, including a value “ALL YOUR FILES HAS BEEN ENCRYPTED.”
- [T1564.001] Hidden Files and Directories – The malware uses hidden/reserved storage and directories as part of its payload/storage strategy, per the MITRE mapping alignment.
- [T1140] Deobfuscate/Decode Files or Information – The dropper contains embedded resources (BIN/HTML) and decrypts data as part of payload deployment.
- [T1070.004] File Deletion – The dropper uses file cleanup steps (e.g., bat files to remove traces) as part of cleanup operations.
- [T1057] Process Discovery – As part of its later stages, the ransomware performs discovery to understand the environment (process-related checks).
- [T1486] Data Encrypted for Impact – The core action: encrypting files (with a whitelist of extensions/locations) and appending “.crypt” to encrypted files.
- [T1490] Inhibit System Recovery – Shadow copies are deleted to hinder recovery: “vssadmin delete shadows /All /quiet”.
Indicators of Compromise
- [MD5] Dropper/Payload – 6b402772ac82df77da8ead65636423da, bc288a88a43c5a6d4b9dee33d3ef70eb
- [SHA256] Dropper/Payload – 8d40ac7ff823a82053b413326beba33bf94380a79c49165545fed3e92089b6eb, cc0bd45536a6c15f8b76fe06fd637857e6fbb483dc620793aa3aa27e1ab75a62
- [MD5] Additional Payloads – 45299d77edb17dc48eccec70e928d9ea, eee0f2f6b2524498f8287f95dd184828a044677700d61e2c0a109866f3dd504d
- [PDB Path] – Z:_ARCDropper.pdb, Z:_ARCEncrypter 2.0.pdb
- [File Name] – win.exe, 3.exe
- [PDB Path] – Z:_ARCEncrypter 2.0.pdb
- [URL] – AnonFiles hosting for dropper/download (win.exe and win.zip)
- [File Name] – readme_for_unlock.txt (ransom note stored in %TMP%)