AstraLocker ransomware shuts down and releases decryptors

Gandalf_The_Grey

Level 64
Thread author
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,354
The threat actor behind the lesser-known AstraLocker ransomware told BleepingComputer they're shutting down the operation and plan to switch to cryptojacking.

The ransomware's developer submitted a ZIP archive with AstraLocker decryptors to the VirusTotal malware analysis platform.

BleepingComputer downloaded the archive and confirmed that the decryptors are legitimate and working after testing one of them against files encrypted in a recent AstroLocker campaign.

While we only tested one decryptor that successfully decrypted files locked in one campaign, other decryptors in the archive are likely designed to decrypt files encrypted in previous campaigns.

"It was fun, and fun things always end sometime. I'm closing the operation, decryptors are in zip files, clean. I will come back," AstraLocker's developer said. "I'm done with ransomware for now. I'm going in cryptojaking lol."

While the developer did not reveal the reason behind the AstraLocker shutdown, it’s likely due to the sudden publicity brought by recent reports that would land the operation in law enforcement’s crosshairs.

A universal decryptor for AstraLocker ransomware is currently in the works, to be released in the future by Emsisoft, a software company known for helping ransomware victims with data decryption.

While it doesn't happen as often as we'd like, other ransomware groups have released decryption keys and decryptors to BleepingComputer and security researchers as a gesture of goodwill when shutting down or releasing new versions.

The list of decryption tools released in the past includes Avaddon, Ragnarok, SynAck, TeslaCrypt, Crysis, AES-NI, Shade, FilesLocker, Ziggy, and FonixLocker.
 

Gandalf_The_Grey

Level 64
Thread author
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,354
Free decryptor released for AstraLocker, Yashma ransomware victims
New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom.

The free tool is available for download from Emsisoft's servers, and it allows you to recover encrypted files using easy-to-follow instructions available in this usage guide [PDF].

"Be sure to quarantine the malware from your system first, or it may repeatedly lock your system or encrypt files," Emsisoft warned.

"By default, the decryptor will pre-populate the locations to decrypt with the currently connected drives and network drives. Additional locations can be added using the 'Add' button."

The ransomware decryptor will allow you to keep the files encrypted in the attack as a failsafe if the decrypted files are not identical to the original documents.

"The AstraLocker decryptor is for the Babuk-based one using .Astra or .babyk extension, and they released a total of 8 keys," Emsisoft added.

"The Yashma decryptor is for the Chaos-based one using .AstraLocker or a random .[a-z0-9]{4} extension, and they released a total of 3 keys."

Emsisoft also advised AstraLocker and Yashma victims whose systems were compromised via Windows Remote Desktop to change the passwords for all user accounts that have permissions to log in remotely and to look for other local accounts the ransomware operators might have added.
 
Top