Source Code of “ArisLocker” Ransomware Appears on the Dark Web

  • The ArisLocker ransomware source code is being distributed on the dark web.
  • The strain seems to have a weakness in its encryption system, so white-hat researchers could exploit it.
  • We expect to see a spike in the deployment of ArisLocker against victims in the upcoming weeks.

According to the latest reports that come from Cyble’s researchers, actors have posted the source code of the “ArisLocker” ransomware on the dark web. The malware analysts in the team grabbed the code and tried to figure out whatever they could. This is a ransomware strain for which there are no available decryptors yet, and locating its source code will surely bring developments in this field. For now, the things that Cyble’s team could figure out about ArisLocker are the following:

  1. ArisLocker begins by urging the victim to enter their login credentials on a fake screen.
  2. The malware scans “C:\Users\” and “#C:\Users\,” enumerating files suitable for encryption.
  3. A queuing system pushes all files in order for the encryption thread.
  4. The encryption takes place using a key that is stored in a remote address. The type of encryption is 256-bit AES.
  5. The encrypted files are saved on their original paths using the “.aris” file extension.
  6. A “readme.txt” is generated and placed on the desktop folder.
  7. The desktop background image is changed to warn the user about what happened.

Source: Cyble blog

The “default” ransom ArisLocker demands is set to $75, including a threat to go up to $500 if the victim fails to pay within a week. Of course, all may be changed to anything the actor would prefer to use, so these figures are merely indicative.

arislocker_bitcoin
Source: Cyble blog

A hopeful part of Cyble’s report is that the use of “AES.MODE_ECB” wasn’t the wisest choice for the ArisLocker ransomware. This makes the decryption easier, but it also creates a platform for creating a free decryptor. ECB uses identical plain text blocks that are encrypted to identical cipher text blocks, and there we have a potential weakness. It may also mean that Aris operators are honest about their promise to deliver the decryption key, and also that the chances of having errors during the decryption process are low. Of course, an update could change this, but all of it applies to the leaked source code.

Actors will try to exploit this source code as soon as possible before white-hat researchers get the chance to release decryptors, so we expect to see a spike in ArisLocker infections now. That said, take backups, keep your precious files offline, avoid opening email attachments or clicking on email buttons/links, and don’t trust plugging any USBs on your computer.

Latest
How to Watch I Have Nothing Online Free from Anywhere
I Have Nothing is a Crave Original docu-comedy series following Carolyn Taylor and her attempt to choreograph a full-length pairs figure skating...
How to Watch Michael McIntyre’s The Wheel Season 4 Online Free from Anywhere
The Bafta-winning Michael McIntyre has returned with another season of The Wheel. Viewers can expect big laughs, huge stars, and heart-pounding thrills...
How to Watch Blankety Blank Season 3 (2023) Online Free from Anywhere
Blankety Blank is back in 2023, with Bradley Walsh guiding a panel of celebrities and contestants over multiple rounds of the quiz...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari