Source Code of “ArisLocker” Ransomware Appears on the Dark Web

  • The ArisLocker ransomware source code is being distributed on the dark web.
  • The strain seems to have a weakness in its encryption system, so white-hat researchers could exploit it.
  • We expect to see a spike in the deployment of ArisLocker against victims in the upcoming weeks.

According to the latest reports that come from Cyble’s researchers, actors have posted the source code of the “ArisLocker” ransomware on the dark web. The malware analysts in the team grabbed the code and tried to figure out whatever they could. This is a ransomware strain for which there are no available decryptors yet, and locating its source code will surely bring developments in this field. For now, the things that Cyble’s team could figure out about ArisLocker are the following:

  1. ArisLocker begins by urging the victim to enter their login credentials on a fake screen.
  2. The malware scans “C:\Users\” and “#C:\Users\,” enumerating files suitable for encryption.
  3. A queuing system pushes all files in order for the encryption thread.
  4. The encryption takes place using a key that is stored in a remote address. The type of encryption is 256-bit AES.
  5. The encrypted files are saved on their original paths using the “.aris” file extension.
  6. A “readme.txt” is generated and placed on the desktop folder.
  7. The desktop background image is changed to warn the user about what happened.

Source: Cyble blog

The “default” ransom ArisLocker demands is set to $75, including a threat to go up to $500 if the victim fails to pay within a week. Of course, all may be changed to anything the actor would prefer to use, so these figures are merely indicative.

Source: Cyble blog

A hopeful part of Cyble’s report is that the use of “AES.MODE_ECB” wasn’t the wisest choice for the ArisLocker ransomware. This makes the decryption easier, but it also creates a platform for creating a free decryptor. ECB uses identical plain text blocks that are encrypted to identical cipher text blocks, and there we have a potential weakness. It may also mean that Aris operators are honest about their promise to deliver the decryption key, and also that the chances of having errors during the decryption process are low. Of course, an update could change this, but all of it applies to the leaked source code.

Actors will try to exploit this source code as soon as possible before white-hat researchers get the chance to release decryptors, so we expect to see a spike in ArisLocker infections now. That said, take backups, keep your precious files offline, avoid opening email attachments or clicking on email buttons/links, and don’t trust plugging any USBs on your computer.

How to Watch Plan B Online: Stream Patrick J. Adam’s Time Travel Series from Anywhere
Who could forget Patrick J. Adam's masterful portrayal of the dropout college student who turned into a lawyer Mike Ross in the...
How to Watch The Voice Season 23 Online from Anywhere
Fans of the musical competition series that has won four Emmy Awards will be happy to know that a new season is...
How to Watch Wild Isles Online for Free: Stream the 2023 David Attenborough Series from Anywhere
Wild Isles is a British series focused on nature, and we have the premiere date, plot, episode release schedule, and other details....
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari