The ransomware operators release decryptor.
The threat actor behind the AstraLocker ransomware announced that they are shutting down its operation and have planned to switch to cryptojacking. The ransomware’s developer submitted a ZIP archive with AstraLocker decryptors to the VirusTotal malware analysis platform.
The decryptors were found to be legitimate and working after testing one of them against files encrypted in a recent AstroLocker campaign.
However, only one decryptor was tested that successfully decrypted files locked in one campaign, the other decryptors in the archive are likely designed to decrypt files encrypted in previous campaigns as well.
The developer did not reveal the reason behind the AstraLocker shutdown, but it is likely due to the sudden publicity brought by recent reports that would land the operation in law enforcement’s crosshairs.
Emsisoft, a software company that helps ransomware victims with data decryption are working on a universal decryptor for AstraLocker ransomware which could be released in the future.
According to threat intelligence firm ReversingLabs, AstraLocker used an unorthodox method of encrypting its victims’ devices compared to other ransomware strains.
Instead of first compromising the device (either by hacking it or buying access from other threat actors), AstraLocker’s operator would directly deploy the payloads from email attachments using malicious Microsoft Word documents.
The lures used in AstroLocker attacks are documents hiding an OLE object with the ransomware payload that will get deployed after the target clicks Run in the warning dialog displayed when opening the document.
Before encrypting files on the now-compromised device, the ransomware will check if it’s running in a virtual machine, kill processes and stop backup and AV services that would hinder the encryption process.
AstraLocker is believed to be based on the leaked Babuk Locker ransomware source code.