From the Labs: YARA Rule for Detecting Acepy

ReversingLabs threat analysts are constantly working to respond to new threats and provide our customers with information and tools to defend their systems from attacks. Written by our threat analysts, our high-quality, open source YARA rules help threat hunters, incident responders, security analysts, and other defenders detect malicious behavior in their environment.

In this series, we break down some of the threats behind our YARA detection rules and help your organization to detect them within your environment.

Acepy: A Malicious Ransomware Program

Acepy ransomware, discovered by the researcher known as Petrovic (@petrovic082) in March of 2022, is similar to other, common ransomware families. It infects a system, encrypts the personal documents and data found on the victim’s computer. Subsequently, the victim is shown a brief message with instructions on contacting the ransomware operator via a provided email address and to pay a certain amount in Bitcoin in order to receive the decryption key to regain access to the lost files.

Despite being identified in the wild in early 2022, little is known about the group responsible for Acepy. The prevalence of the malware has also been low; it has not been linked to attacks on prominent companies, government organizations or owners and operators of critical infrastructure. To date, even fundamental questions are unanswered, such as the name of the group or individual that created Acepy, what country it was created in, and what the threat actor’s motives are for pushing out this ransomware. This lack of a clear provenance and backstory distinguishes Acepy from other well-known ransomware types, such as Conti or LockBit.

Attacker Techniques

Acepy spreads in a manner that is similar to other ransomware families. The threat actors spreading the malware most often gain access to a victim’s computer using phishing and other social engineering attacks. Victims download and install the file after clicking a link in an email or social media message, or falling for a scam on the Internet. There have been instances of Acepy being distributed following the exploitation by attackers of vulnerabilities found in computer programs or operating systems in victim environments.

Once installed, the Acepy ransomware encrypts files including documents, photos and music. Encrypted files are marked with the “.acepy” file extension.

Recovery and Decryption

Based on analysis of Acepy by security firms, there is no current way to decrypt these files once they have been encrypted by Acepy ransomware without access to the threat actor’s decryption tool. However, there are known incidents of victims not receiving the Acepy decryption tool after having paid the ransom. Therefore, it is widely advised that victims do not pay ransom to any cybercriminal, because it is not guaranteed that a threat actor will decrypt the files once they’ve obtained their payment.

Detecting Acepy

Since there is no way to decrypt files impacted by the Acepy ransomware, it is crucial to hunt for- and detect this threat in your environment before it has gained access to target files and deployed..

ReversingLabs’ Acepy YARA rule can detect Acepy ransomware within your environment with high fidelity and almost no false-positives. You can download the Acepy YARA Rule here:

Win32.Ransomware.Acepy.yara

To learn more about the prerequisites for using ReversingLabs’ YARA rules, consult our Github page.

The Work Doesn’t Stop Here

ReversingLabs’ team of analysts are constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. Contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware or to schedule a demonstration.