SOCRadar® Cyber Intelligence Inc. | AstraLocker Shut Down Their Operations and Released Decryptor
Home

Resources

Blog
Jul 06, 2022
4 Mins Read

AstraLocker Shut Down Their Operations and Released Decryptor

A ransomware gang AstraLocker, recently announced they are shutting down their operations and shared decryptors related to all the campaigns in the past. According to news from BleepingComputer, developer of the ransomware announces s/he done with ransomware and wants to do cryptojacking instead.

While stopping all operations by issuing decryptor keys is unusual, it is not the first time in ransomware history. Ransomware gangs like Ragnarok, TeslaCrypt, Ziggy, and Avaddon have previously preferred this method. This fantastic retirement method and announcement made them famous in the dark web forums. 

Who is AstraLocker?

AstraLocker was first seen in the early 2021s. In a short period, multiple campaigns from the group were launched with updated versions of the ransomware. Contrary to other ransomware groups, AstraLocker preferred to send its malicious code embedded in MS Word files via phishing attacks.

Considering its unique attack methods, AstraLocker could easily reach multiple individuals. On the other hand, this attack method is considered less efficient since it requires the user to click on the object and verify the operation. Furthermore, attacking individuals instead of organizations led AstraLocker to demand fewer ransom fees from the victims.

What Happened?

On June 28th, an elaborative analysis of AstraLocker was published by ReversingLabs. The study includes critical information like

  • The source code of later versions of AstraLocker contains the leaked source code of another ransomware Babuk. Babuk is a more sophisticated ransomware that was active from 2021 until September. Choosing high-profile targets made Babuk a target during its operation. After the Washington DC Metropolitan Police Department (MPD) attack, group members split up, and some members shared the source codes on a Russian hacker forum.
  • One of the crypto wallets’ addresses for money payments is linked to another group, Chaos ransomware.

Before the ReversingLabs, many other AstraLocker analyses were done by other organizations for a while. So, AstraLocker ransomware’s attack methods and features were already known at this point. It is believed that group members cease operation to prevent negative cases such as takedowns or in-group conflicts like Babuk.

On July 4th Bleeping Computer published an article about AstraLocker being decided to halt its ransomware operations and wanting to continue with cryptojacking. The developer of AstraLocker also uploaded a zip file including decryptors of some versions of AstraLocker ransomware. 

The article mentions developer of AstraLocker stated they had fun during the process and now closing the operation. The developer ends the sentence with “I will come back.”

What Could Be the Next Move?

As a ransomware group, AstraLocker has reached many devices during its operation. Although, they announced to stop the ransomware operations. The victim devices may be used for cryptojacking since they have already been vulnerable. Also, it is expected to encounter more low-skill phishing attacks since they were the primary method of attack to gain access to the target devices for AstraLocker developers.

Long story short, AstraLocker was a ransomware group that operated from the early 2021s until today. They targeted individuals via phishing attacks and drew attention with their success. After an overwhelming number of analyses, the ransomware was compromised, and members became vulnerable to law enforcement. 

In July, they decided to halt ransomware operations and upload decryptors to VirusTotal. The developers also mentioned they switched to cryptojacking instead and will be back.

Considering the Babuk ransomware group that re-surfaced as Babuk V2 after the MPD incident, a ransomware gang can split up and re-operate after a while. So, it is up to time to understand whether AstraLock completely giveaway ransomware operations or if they just wanted to avoid further attention.