ARCrypter ransomware strain detailed by BlackBerry

Share post:

A new ransomware strain has been detected by researchers at BlackBerry, who say it has been seen hitting organizations in Canada, China, Chile, and Columbia.

Dubbed ARCrypter, because the unique strings “ARC” were found in all the samples the researchers analyzed, it first appeared in August.

Unlike other ransomware variants, BlackBerry said, where a ransom note is dropped after the file encryption stage, ARCrypter drops the ransom note before the files are encrypted. Upon ransom note delivery, the dropper then proceeds to drop two batch scripts and the main payload encrypter.

The attack vector — phishing, brute force attacks or vulnerability exploits — isn’t known.

Through hunting efforts, BlackBerry has found samples associated with the first ARCrypter campaign from early August 2022. But the first public indication of a new ransomware strain came on August 25th, when Chile’s government IT systems were attacked and its computer incident response team published a report which contained some indicators of compromise. Then on October 3rd, Invima, the Colombia National Food and Drug Surveillance Institute, reported a cyber attack that BlackBerry believes was the same strain.

Following these incidents, the researchers found submissions on the VirusTotal scanner by apparently real victims from China and Canada.

In their investigation of how the ransomware is installed, the researchers found the use of AnonFiles, an anonymous download service. It deposits two files: The “” file is a password-protected archive containing the “win.exe” file. The “win.exe” file is a dropper file, which has two resources – BIN and HTML. The HTML resource stores ransom note contents, and the BIN resource contains encrypted data, probably the ARCrypter ransomware.

To decrypt the BIN resource, the dropper expects an argument “-p” followed by a password. Once the password is entered by the threat actor the dropper creates a random directory under one of the following environment variables:

  • %TMP%

The purpose of this newly created directory is to store the second stage payload, the ransomware.

The ransom note contains the username and password required for the victim to log into the communication panel with the threat actors, which is hosted on the .onion site.

The report includes indicators of compromise that IT security teams will find useful.

The post ARCrypter ransomware strain detailed by BlackBerry first appeared on IT World Canada.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, June 12, 2024 – More Snowflake storage victims found, Microsoft issues new Windows patches,

More Snowflake storage victims found, Microsoft issues new Windows patches, and more. Welcome to Cyber Security Today. It's Wednesday,...

Former OpenAI employee alleges plan for AGI bidding war

In a recent interview, former OpenAI safety researcher Leopold Aschenbrenner made startling claims about his ex-employer's strategy regarding...

Malicious code in millions of installs traced to Microsoft Visual Studio

A group of Israeli researchers found thousands of potentially harmful extensions on the Visual Studio Code (VSCode) Marketplace,...

Cyber Security Today, June 10, 2024 – Microsoft backs down on Recall

Microsoft backs down on Recall. Welcome to Cyber Security Today. It's Monday, June 10th, 2024. I'm Howard Solomon, contributing...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways