The ARCrypter ransomware evolves into a global threat

ARCrypter Ransomware Cyber Threat Malware Dropper Cybersecurity

The previously unidentified ARCrypter ransomware operation that runs as a middle-class ransomware group is now attempting to expand into a global threat. The group started its malicious worldwide process last August after targeting several organisations from countries like China, Germany, France, Canada, and the United States.

According to researchers, the ARCrypter operators utilised two AnonFiles URLs as remote resources for retrieving a password-protected zip archive that includes an executable dropper file.

The executable archive contains a resource BIN that stores the encrypted information and an HTML archive that keeps the ransom noted. Upon the provision of the password, the Bin will develop a random directory on the infected device to hold ARCrypter ransomware as the second-stage payload.


The ARCrypter ransomware operation removes all its shadow copies to hinder any data restoration process.


The researchers explained that the ARCrypter ransomware’s payload includes a registry key for establishing persistence and elusively deletes all its Shadow Volume Copies to prevent an easy data restoration process for threat analysts.

Furthermore, the payload modifies the network settings to secure stable connectivity. It encrypts all targeted files except for some file types such as [.]dll and [.]ini and locations that could render the system useless.

Finally, the ransomware payload appends the [.]crypt extension to all compromised files, and these encrypted files show a message stating ‘ALL YOUR FILES HAVE BEEN ENCRYPTED’ on the file manager.

The ransomware operators harvest troves of data during their campaign, but their group does not have a data leak site for publishing proof of their labour. Currently, the ransom demands from the group vary from $5000 or more depending on its target.

The ARCrypter’s origin and language are still a mystery to cybersecurity researchers. In addition, they have yet to expose a detail of which ransomware family they belong to since researchers have no past information about them.

However, this newly uncovered ransomware operation has shown the potential of expanding to an expansive threat landscape since it has the abilities of a sophisticated ransomware operation. Its operators have demonstrated that they could deploy attacks against multiple companies.

Cybersecurity experts advise organisations all over the globe to be prepared with backup data and employ an intelligent security solution to mitigate any risk from any ransomware campaign.

About the author

Leave a Reply