Cyble – ARCrypt Ransomware Evolves With Multiple TOR Communication Channels

Ransomware Operators Thrive in the Shadows

ARCrypter ransomware, also known as ChileLocker, emerged in August 2022 and gained attention following an attack on an entity located in Chile. Subsequently, researchers revealed that this ransomware started targeting organizations worldwide. The Threat Actors (TA)s responsible for this group do not maintain a leak site for extorting their victims. It has been observed that ARCrypter ransomware targets both Windows and Linux operating systems.

In early 2023, researchers reported the emergence of a new Linux variant of ARCrypter, developed using the GO programming language. Cyble Research and Intelligence Labs (CRIL) also discovered an updated version of the ARCrypt Windows executable, which previously existed in the wild.

This version of ARCrypt ransomware has been observed in the wild for approximately 2-3 months. During our investigation, we discovered some unusual techniques employed by the TA to interact with their victims.

In contrast to the older variant of ARCrypt ransomware, which utilized a common chat site hosted on Tor for all victims, we analyzed multiple binaries of the updated version and identified the following:

• The ransom note of each binary was pointing to a mirror site
• The TA created dedicated chat sites hosted on Tor for each victim
• In one instance, the ransom note instructed the victim to contact the TA via TOX, a messaging platform, by creating a profile with a specific username

Apart from this, we also found an instance shown in the figure below, where TA offered the victim a discount if the ransom was paid in Monero. Tracing transactions is difficult in Monero compared to Bitcoin, so some TAs prefer to use this. We have also observed AvosLocker ransomware in the past seeking ransom payments in Monero with added discounts.

This ransomware variant now utilizes the “.crYpt” instead of the “.crypt” extension to rename the encrypted filename and consists of a new ransom note. In this blog, we will further explore the changes observed in the ransomware binary and the communication method used by the threat actor (TA).

Analysis

Communication Method

During our analysis of multiple binaries of the ARCrypt ransomware, we discovered that each ransom note in the binaries directed victims to different Tor sites for communication, as highlighted in Figure below. Further investigation revealed that these sites were mirror sites, sharing the same user interface but having different URLs. Typically, ransomware TAs include all the mirror sites in the ransom note to ensure accessibility for victims. This approach allows victims to access an alternative site if one becomes inaccessible.

We conducted tests using login credentials obtained from various ransom notes, regardless of the associated Tor site mentioned in each note. However, these login credentials failed to authenticate on the Tor sites. This indicates that the provided login credentials are specific to the corresponding Tor site mentioned in the ransom note, further confirming that the threat actor (TA) creates dedicated Tor sites for each victim. Additionally, we observed that the Tor sites mentioned in older ransom notes were no longer accessible, suggesting that TA might be intentionally removing traces to clear their footprints.

The figure below shows the ARCrypt ransomware tor site.

We also encountered an instance where the TA was urging its victim to create a profile on TOX with a specific username, as shown in the figure below. This highlights that the TA might be carrying out targeted attacks.

ARCrypt ransomware binary (SHA256: 4f2e40e6353a2430a80824d113268b5cdb28a0ddb079418be05ba79dea608410) is a 64-bit executable.

The figure below shows the file details.

Execution

Upon execution, the ransomware copies itself to the %TEMP% directory and assigns a random six-character alphanumeric string comprised of uppercase letters [A-Z] and digits [0-9] as its filename. It then proceeds to run from this location and deletes the original ransomware binary using the command “cmd /c DEL “%SAMPLEPATH%” &EXIT”. A batch script was employed in earlier versions to remove the initial executable file.

The figure below illustrates the portion of the ransomware responsible for self-deletion.

The updated variant of ARCrypt ransomware has the ability to terminate processes and disable specific services, including those related to anti-malware, backup, and recovery. This behavior suggests that the ransomware might be targeting servers.

The ransomware terminates the following processes. Due to the resource-intensive nature of the encryption process, the ransomware executables often terminate processes to free up system resources and accelerate the encryption process. It also terminates a few Endpoint Detection and Response (EDR) solutions as a means to evade detection.

The figure below shows the process tree.

Artifacts

This ransomware uses RegCreateKeyA API to open registry keys under HKEY_LOCAL_MACHINE and uses RegSetValueExA API to set values for a specific key. The values being set to include “legalnoticecaption”, and “legalnoticetext” in the Key “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem”.

The following data is added to the values:

• legalnoticecaption: ALL YOUR FILES HAS BEEN ENCRYPTED!
• Legalnoticetext: For unlock your files follow the instructions from the readme_for_unlock.txt

It modifies this registry key to show a message during system startup.

The figure below shows the code for altering the registry keys.

The figure below shows the message displayed by the ransomware binary.

This ransomware variant renames the encrypted files with the extension “.crYpt”, whereas the older variant used the “.crypt” extension.

The figure below shows the encrypted files.

Ransom Note

This variant of ARCrypt ransomware introduces a distinct ransom note that bears only a few similarities to the older ransom note.

The figure below illustrates the comparison between the older and new ransom note.

Conclusion

The ARCrypt ransomware has evolved with an updated variant that incorporates certain changes. We believe the TA behind the ARCrypt ransomware is trying to avoid attracting unwanted attention. By updating the ransomware binary and adopting certain practices such as preferring ransom payments in Monero, not extorting victims through leak sites, and utilizing a new communication medium for each victim, the attacker aims to enhance their level of anonymity.

Our Recommendations  

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

Safety Measures Needed to Prevent Ransomware Attacks  

• Conduct regular backup practices and keep those backups offline or in a separate network  
• Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic  
• Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile
• Refrain from opening untrusted links and email attachments without verifying their authenticity  

Users Should Take the Following Steps After the Ransomware Attack  

• Detach infected devices on the same network  
• Disconnect external storage devices if connected 
• Inspect system logs for suspicious events  

Impact And Cruciality of Ransomware  

• Loss of valuable data
• Loss of the organization’s reputation and integrity
• Loss of the organization’s sensitive business information 
• Disruption in organization operation  
• Financial loss

MITRE ATT&CK® Techniques  

Indicators of Compromise  

Related

Source: https://blog.cyble.com/2023/07/06/arcrypt-ransomware-evolves-with-multiple-tor-communication-channels/