arcrypter

Also known as: arcrypter

ArcRypt (also known as ARCrypter or ChileLocker) was first identified in August 2022, originally targeting government entities in Latin America and subsequently expanding globally. The group employs a single-extortion model—there is no evidence of a data-leak threat or RaaS ecosystem. The malware encrypts files using extensions such as .crypt, .crYpt, and .crYptA3, and uniquely drops the ransom note before commencing encryption. It has variants for both Windows and Linux, including a Go-based Linux version. Communication with victims occurs via Tor-based portals, evolving over time from a single shared site to individualized mirror sites for each victim. In some cases, threat actors have instructed victims to contact them using Tox, creating a Tox profile for communication. Targets have included Chile’s government infrastructure, Colombia’s Invima agency, and organizations in China and Canada.

Introduction

ArcRypt (also known as ARCrypter or ChileLocker) was first identified in August 2022, originally targeting government entities in Latin America and subsequently expanding globally. The group employs a single-extortion model—there is no evidence of a data-leak threat or RaaS ecosystem. The malware encrypts files using extensions such as .crypt, .crYpt, and .crYptA3, and uniquely drops the ransom note before commencing encryption. It has variants for both Windows and Linux, including a Go-based Linux version. Communication with victims occurs via Tor-based portals, evolving over time from a single shared site to individualized mirror sites for each victim. In some cases, threat actors have instructed victims to contact them using Tox, creating a Tox profile for communication. Targets have included Chile’s government infrastructure, Colombia’s Invima agency, and organizations in China and Canada.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • China Chopper:
  • Windows Remote Desktop:

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.