Arai Ransomware Goes for Double Extortion

Arai is the name of a newly discovered strain of file-encrypting malware. The new variant does not seem to belong to any particular ransomware family.

The ransomware works largely as you would expect it to - it encrypts almost all files on the victim system and leaves them unusable. Encrypted files receive the ".araicrypt" extension, appended after their old one. This means that a file named "music.mp3" will turn into "music.mp3.araicrypt" once it has been encrypted.

The Arai ransomware will scramble most document, media, archive and database file types, making it a significant data security threat.

The ransom note is deposited in a plain text file named "READ_TO_RESTORE_YOUR_FILES.txt". The note threatens a leak of potentially sensitive data stolen in the attack, in what has become a standard method for double extortion among ransomware operators.

The full text of the note is as follows:


All Your Files Have Been Encrypted !!


All of your backups and shadow copies have also been deleted so forget restoring



We also have been able to steal your confidential files (databases, customers data's,

HR etc...) all over your network workstations and servers.


If you want to hear your mind instead of our instructions, you will loose stupidly your

files but you will also see your files being published online or sell to tiers (and we'll do it)

In this case, beleive us that you're going to suffer a big financial loss and a big loss

of reputation.


We are aware that you don't want this case too happens.

If you want to restore files and want us to delete your confidentials files, contact us right

with a message to the contact address below. Include the KeyID in your message pls.


AraiHelp at secmail dot pro

If there's no answers from us in the next 15 hours, contact us to :

AraiHelp2 at secmail dot pro

Note that you have only 48 hours to contact us. After this delay, there will be no data

recovered and your files will be published.

Key Identifier:

[alphanumeric string]

July 27, 2022