According to the threat actor behind the less well-known AstraLocker ransomware, they are ceasing operations and intend to transition to cryptojacking.
(Photo : Pau Barrena/Getty Images)
The Conti ransomware appears to be fading from public view. Is it really over or is it just a fa?ade?
What Does AstraLocker Ransomware Do?
Bleepingcomputer, citing threat intelligence firm ReversingLabs, reported that Compared to other ransomware strains, AstraLocker used a rather unconventional way to encrypt the devices of its victims. This is because, instead of first compromising the device, the AstraLocker operator would simply send the infected Microsoft Word documents as email attachments, releasing the payloads undetected.
Documents that conceal an OLE object with the ransomware payload that will be released if the target clicks Run in the warning dialog displayed upon opening the document are the lures used in AstroLocker attacks.
The ransomware will first determine whether it is executing in a virtual system, halt processes, and stop backup and antivirus services that would obstruct the encryption process before encrypting files on the now-compromised device.
Change of Plans for AstraLocker Ransomware
As previously mentioned, the ransomware’s developer said that they will be switching to cyptojacking.
“It was fun, and fun things always end sometime. I’m closing the operation, decryptors are in zip files, clean. I will come back,” AstraLocker’s developer said to BleepingComputer.
The developer did not give an explanation for why AstraLocker was shut down, but it was probably owing to the sudden attention the operation received as a result of recent reports, which put it in the sights of law enforcement.
BleepingComputer downloaded the ZIP archive with AstraLocker decryptors that it submitted to the VirusTotal malware analysis platform. After testing one of the decryptors against files encrypted in a recent AstroLocker attack, BleepingComputer concluded that they are authentic and functional. It is important to keep in mind that only one decryptor was tested by BleepingComputer, and additional decryptors in the archive are probably made to decrypt files encrypted by earlier operations.
Decryptor for AstraLocker Ransomware
Emsisoft, a software provider well renowned for aiding ransomware victims with data decryption, is currently developing a universal decryptor for AstraLocker ransomware, which will be made available in the future.
Other ransomware companies have given BleepingComputer and security researchers decryption keys and decryptors as a show of goodwill when closing down or releasing new versions. However, this does not happen frequently.
Background of AstraLocker Ransomware
According to ReversingLabs’ investigation, Babuk Locker (Babyk), a flawed but still harmful strain of ransomware that left the market in September 2021, served as the foundation for AstraLocker’s code.
A separate Bleepingcomputer report said Babuk Locker is a ransomware operation that first targeted businesses at the beginning of 2021 in order to steal and encrypt their data in double-extortion attacks. After targeting the Metropolitan Police Department (MPD) of Washington DC, and coming under pressure from American law enforcement, the ransomware gang claimed to have stopped operating.
Interestingly, on a well-known Russian-language hacking site, a member of the Babuk organization, who claimed to have terminal cancer, leaked the entire source code for their ransomware.
Related Article: Sanctioning Ransomware Groups: Why Is It Difficult To Do?