[German]Strange things are happening at the moment. The threat actor behind the lesser-known AstraLocker ransomware seems to want to stop its activities. The actor plans to switch to cryptojacking and has published an archive of AstraLocker decryption programs. I'll try to summarize the facts I know, although much is unclear, even though the actor has probably also contacted my English-language blog.
The threat actors under the name AstraLocker were actually unknown to me until now. Only yesterday I reported about such an actor in the blog post AstraLocker 2.0: Infection via Word attachment. Its malware had been discovered by security researchers from ReversingLabs. They came across this relatively unknown malware in phishing emails. In version 2.0, the attackers switched to reloading the malicious payload directly from a Word document included as an attachment to a mail. This was quite unusual because ransomware groups used to try to avoid detection for as long as possible.
Strange reference to Decryptor archive
Link on virustotal.
comIts all from me
I didn't quite understand the whole thing, especially since he wrote that Bleeping Computer should fix its registry via Tor. Colleague Lawrence Abrams, who runs Bleeping Computer, was also absent on yesterday's US Independence Day, so he couldn't answer my private inquiry on Twitter. The link on VirusTotal shows that an archive file AstraLocker Decryptors.zip was uploaded.
AstraLocker Decrytors on VirusTotal
However, this archive is marked as malicious by 42 virus scanners. I was also unsure because the previous blog post AstraLocker 2.0: Infection via Word attachment said that people probably had limited skills for running a ransomware platform. So just off the top of my head, I rhymed that the comment could also be an attempt at "dumbing down". Just put the ransomware in a ZIP archive and upload it somewhere, hoping that people will fall for it. The ZIP archive in question can be downloaded in a certain version from this Swiss website. It was uploaded by the colleagues from Bleeping Computer. .
Bleeping Computer: AstraLocker shots down
Now, the threat actor behind AstraLocker has probably contacted Bleeping Computer and told them that it is ceasing its operations in the ransomware sector. They want to focus on cryptojacking, i.e. the theft of crypto assets from corresponding accounts. The colleagues quote the ransomware developer within their article AstraLocker ransomware shuts down and releases decryptors as:
It was fun, and fun things always end sometime. I'm closing the operation, decryptors are in zip files, clean. I will come back. I'm done with ransomware for now. I'm going in cryptojaking lol.
The actor's says, that the files with the decryptors are clean, even though they are marked as malicious on VirusTotal. BleepingComputer has downloaded the archive and confirmed that the decryptors are legitimate and work. They have tested a decryptor on files encrypted in a recent AstraLocker campaign. However, there are probably a number of decryptors, some of which may have been intended for previous campaigns. The colleagues have published some more details in the article and guess that the sudden attention from media might have been too hot for the actor.
Cookies helps to fund this blog: Cookie settings