HOMETHREATSarcrypter
APT / THREAT GROUP💰 FINANCIAL

arcrypter

1
aliases

Intelligence Profile

ArcRypt (also known as ARCrypter or ChileLocker) was first identified in August 2022, originally targeting government entities in Latin America and subsequently expanding globally. The group employs a single-extortion model—there is no evidence of a data-leak threat or RaaS ecosystem. The malware encrypts files using extensions such as .crypt, .crYpt, and .crYptA3, and uniquely drops the ransom note before commencing encryption. It has variants for both Windows and Linux, including a Go-based Linux version. Communication with victims occurs via Tor-based portals, evolving over time from a single shared site to individualized mirror sites for each victim. In some cases, threat actors have instructed victims to contact them using Tox, creating a Tox profile for communication. Targets have included Chile’s government infrastructure, Colombia’s Invima agency, and organizations in China and Canada.

Threat Analysis

arcrypter is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like arcrypter prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Aliases1

Also Known As

arcrypter

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
arcrypter — APT / Threat Group | Threat Intelligence | CTIWATCH.COM