The previously unknown ARCrypter ransomware that compromised key organizations in Latin America is now expanding its attacks around the world.
Researchers in their new report linked ARCrypter to an attack on a Chilean government facility in October that led to the suspension of the agency.
According to experts from The BlackBerry Research and Intelligence Team, ARCrypter is currently expanding its operations outside of Latin America and is targeting various organizations around the world, including in China, Canada, Germany, the United States and France.
The ransom demands in each case vary and reach $5,000. Experts explain this by saying that ARCrypter is a mid-range ransomware.
BlackBerry reports that the first samples of ARCrypter appeared in early August 2022, a few weeks before the attack in Chile.
The attack vector remains unknown, but analysts were able to find 2 AnonFiles URLs that are used as remote servers to obtain a "win.zip" archive containing the "win.exe" executable.
The executable file is a dropper file containing BIN and HTML resources. The HTML contains the ransom note, while the BIN includes encrypted data that requires a password.
If a password is provided, the .bin file creates a random directory on the compromised device to store the ARCrypter second stage payload, which creates its own registry key to persist on the system.
ARCrypter then removes all volume shadow copies to prevent data recovery, changes network settings to ensure a stable connection, and then encrypts files except for certain file types.
Files in the Downloads and Windows folders are also skipped so as not to render the system completely unusable.
In addition to the ".crypt" extension, encrypted files display the message "ALL YOUR FILES HAS BEEN ENCRYPTED".
Notably, the hackers claim to steal data during their attacks, but they do not have a leak site to post the stolen files.
Almost nothing is known to ARCrypter operators at this time - their origins, language, and potential ties to other factions.