Arcrypter
Description
ArcRypt (also known as ARCrypter or ChileLocker) was first identified in August 2022, originally targeting government entities in Latin America and subsequently expanding globally. The group employs a single-extortion model—there is no evidence of a data-leak threat or RaaS ecosystem. The malware encrypts files using extensions such as .crypt, .crYpt, and .crYptA3, and uniquely drops the ransom note before commencing encryption. It has variants for both Windows and Linux, including a Go-based Linux version. Communication with victims occurs via Tor-based portals, evolving over time from a single shared site to individualized mirror sites for each victim. In some cases, threat actors have instructed victims to contact them using Tox, creating a Tox profile for communication. Targets have included Chile’s government infrastructure, Colombia’s Invima agency, and organizations in China and Canada.
| External Analysis |
| https://blogs.blackberry.com/2022/11/arcrypter-ransomware-expands-its-operations-from-latin-america-to-the-world |
| https://cyble.com/blog/arcrypt-ransomware-evolves-with-multiple-tor-communication-channels |
| https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.win32.arcrypter.a |