Source Code of “ArisLocker” Ransomware Appears on the Dark Web

  • The ArisLocker ransomware source code is being distributed on the dark web.
  • The strain seems to have a weakness in its encryption system, so white-hat researchers could exploit it.
  • We expect to see a spike in the deployment of ArisLocker against victims in the upcoming weeks.

According to the latest reports that come from Cyble’s researchers, actors have posted the source code of the “ArisLocker” ransomware on the dark web. The malware analysts in the team grabbed the code and tried to figure out whatever they could. This is a ransomware strain for which there are no available decryptors yet, and locating its source code will surely bring developments in this field. For now, the things that Cyble’s team could figure out about ArisLocker are the following:

  1. ArisLocker begins by urging the victim to enter their login credentials on a fake screen.
  2. The malware scans “C:\Users\” and “#C:\Users\,” enumerating files suitable for encryption.
  3. A queuing system pushes all files in order for the encryption thread.
  4. The encryption takes place using a key that is stored in a remote address. The type of encryption is 256-bit AES.
  5. The encrypted files are saved on their original paths using the “.aris” file extension.
  6. A “readme.txt” is generated and placed on the desktop folder.
  7. The desktop background image is changed to warn the user about what happened.

Source: Cyble blog

The “default” ransom ArisLocker demands is set to $75, including a threat to go up to $500 if the victim fails to pay within a week. Of course, all may be changed to anything the actor would prefer to use, so these figures are merely indicative.

arislocker_bitcoin
Source: Cyble blog

A hopeful part of Cyble’s report is that the use of “AES.MODE_ECB” wasn’t the wisest choice for the ArisLocker ransomware. This makes the decryption easier, but it also creates a platform for creating a free decryptor. ECB uses identical plain text blocks that are encrypted to identical cipher text blocks, and there we have a potential weakness. It may also mean that Aris operators are honest about their promise to deliver the decryption key, and also that the chances of having errors during the decryption process are low. Of course, an update could change this, but all of it applies to the leaked source code.

Actors will try to exploit this source code as soon as possible before white-hat researchers get the chance to release decryptors, so we expect to see a spike in ArisLocker infections now. That said, take backups, keep your precious files offline, avoid opening email attachments or clicking on email buttons/links, and don’t trust plugging any USBs on your computer.

REVIEW OVERVIEW

Latest

Proton VPN Gets a Design Refresh & Better Integration With Other Proton Services

Proton VPN gets a new logo, color palette, and subtle changes to its UI.There’s a simpler pricing structure, letting you bundle Proton-branded...

How to Watch That Damn Michael Che Season 2 Online From Anywhere

Did you miss a theme or incident, such as police brutality, unemployment, and romance, and use sketches and vignettes to illustrate what...

How to Watch Look At Me: XXXTENTACION Online From Anywhere – Stream the Jahseh Onfroy Documentary

Look At Me: XXXTENTACION is an upcoming documentary detailing the late artist's monumental come-up and tragic death. We have all the information...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari