Chilelocker
Description
ChileLocker first emerged in August 2022 and is considered part of the broader ARCrypter ransomware family. It employs a double-extortion model, encrypting Windows and Linux/VMware ESXi systems and threatening data leaks. ChileLocker uses the NTRU public key cryptosystem for encryption and typically appends the .crypt extension to affected files. Following encryption, it drops a ransom note—often named readme_for_unlock.txt—and directs victims to a password-protected Tor negotiation portal, with the password provided in the note. The group also disables recovery mechanisms by deleting shadow copies. Its initial access tactics include exploitation of misconfigured RDP access, phishing, malicious installers, botnets, fake updates, and malvertising. The ransomware has impacted victims across various regions, including Chile, Mexico, Canada, Spain, and others.
| External Analysis |
| https://www.fortinet.com/blog/threat-research/ransomware-roundup-bisamware-and-chile-locker |
| https://cyble.com/blog/arcrypt-ransomware-evolves-with-multiple-tor-communication-channels |
| https://www.cymulate.com/blog/september-2022-cyberattacks-wrap-up |
| Urls |
Screen |
| http://z6vidveub2ypo3d3x7omsmcxqwxkkmvn5y3paoufyd2tt4bfbkg33kid.onion |
|
| Chat servers |
Screen |
| http://ebljej7okwfnx5hdfikqqt2uqehihqv3yns3ziij5clqpklwb3i2cxad.onion/ |
|
| http://7wa2bi6grhbu4opt5bguga4g63jsxiy3ysfbabh7dbyk3niqxlsburad.onion/ |
|