ARCrypter Ransomware Deletes Shadow Volume Copies

ransomware

ARCrypter is the name of a new ransomware that was spotted in the wild in late November 2022.

ARCrypter doesn't do anything astonishing but still does a couple of things that a lot of other ransomware clones do not. First of all, the ransomware has the ability to delete shadow volume copies - something that a lot of garden-variety ransomware variants don't do.

Additionally, it will deposit its ransom note before encryption begins, which is very unusual and could expose the encryption process. The ransom note is contained in a file named "readme_for_unlock.txt".

The ARCrypter ransomware will append the ".crypt" extension to scrambled files and encrypt most file types including media, document and archive files. Executables are left untouched.

The full ransom note dropped by ARCrypter reads as follows:

HELLO
---> Attention <----

DO NOT:
--Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible.
--Use any third-party or public Decryption software, it also may DAMAGE files.
--Shutdown or Reset your system, it can DAMAGE files.
--Hire any third-party negotiators (recovery/police and etc).

Your security perimeter was BREACHED.
ooooCritically important servers and hosts were completely ENCRYPTED.
This README-FILE here for you to show you our presence in your's network and avoid any silence about hacking and leakage.
Also, we has DOWNLOADED OF YOUR MOST SENSITIVE Data just in case if you will NOT PAY,
than everything will be PUBLISHED in Media and/or SOLD to any third-party.
oooooo
WHAT SHOULD YOU DO:
---> You have to contact us as soon as possible (you can find contacts below)
---> You should purchase our decryption tool, so will be able to restore your files. Without our Decryption keys it's impossible
---> You should make a Deal with us, to avoid your Data leakageoo

YOUR OPTIONS:
---> IF NO CONTACT OR DAEL MADE IN 3 DAYS:
Decryption key will be deleted permanently and recovery will be impossible.
All your Data will be Published and/or Sold to any third-parties
Information regarding vulnerabilities of your network also can be published and/or shared

November 18, 2022