A new ransomware strain has been detected by researchers at BlackBerry, who say it has been seen hitting organizations in Canada, China, Chile, and Columbia.
Dubbed ARCrypter, because the unique strings “ARC” were found in all the samples the researchers analyzed, it first appeared in August.
Unlike other ransomware variants, BlackBerry said, where a ransom note is dropped after the file encryption stage, ARCrypter drops the ransom note before the files are encrypted. Upon ransom note delivery, the dropper then proceeds to drop two batch scripts and the main payload encrypter.
The attack vector — phishing, brute force attacks or vulnerability exploits — isn’t known.
Through hunting efforts, BlackBerry has found samples associated with the first ARCrypter campaign from early August 2022. But the first public indication of a new ransomware strain came on August 25th, when Chile’s government IT systems were attacked and its computer incident response team published a report which contained some indicators of compromise. Then on October 3rd, Invima, the Colombia National Food and Drug Surveillance Institute, reported a cyber attack that BlackBerry believes was the same strain.
Following these incidents, the researchers found submissions on the VirusTotal scanner by apparently real victims from China and Canada.
In their investigation of how the ransomware is installed, the researchers found the use of AnonFiles, an anonymous download service. It deposits two files: The “win.zip” file is a password-protected archive containing the “win.exe” file. The “win.exe” file is a dropper file, which has two resources – BIN and HTML. The HTML resource stores ransom note contents, and the BIN resource contains encrypted data, probably the ARCrypter ransomware.
To decrypt the BIN resource, the dropper expects an argument “-p” followed by a password. Once the password is entered by the threat actor the dropper creates a random directory under one of the following environment variables:
The purpose of this newly created directory is to store the second stage payload, the ransomware.
The ransom note contains the username and password required for the victim to log into the communication panel with the threat actors, which is hosted on the .onion site.
The report includes indicators of compromise that IT security teams will find useful.