AstraLocker terminates activities and releases Decryptor

Sicherheit (Pexels, allgemeine Nutzung)[German]Strange things are happening at the moment. The threat actor behind the lesser-known AstraLocker ransomware seems to want to stop its activities. The actor plans to switch to cryptojacking and has published an archive of AstraLocker decryption programs. I'll try to summarize the facts I know, although much is unclear, even though the actor has probably also contacted my English-language blog.


About AstraLocker

The threat actors under the name AstraLocker were actually unknown to me until now. Only yesterday I reported about such an actor in the blog post AstraLocker 2.0: Infection via Word attachment. Its malware had been discovered by security researchers from ReversingLabs. They came across this relatively unknown malware in phishing emails. In version 2.0, the attackers switched to reloading the malicious payload directly from a Word document included as an attachment to a mail. This was quite unusual because ransomware groups used to try to avoid detection for as long as possible.

Strange reference to Decryptor archive

An unusual comment hit my blog post AstraLocker 2.0: Infection via Word attachment yesterday. A visitor to the blog named AstraLocker shared a link to a Decryptor archive uploaded to Virustotal. 

Link on virustotal.

comIts all from me

I didn't quite understand the whole thing, especially since he wrote that Bleeping Computer should fix its registry via Tor. Colleague Lawrence Abrams, who runs Bleeping Computer, was also absent on yesterday's US Independence Day, so he couldn't answer my private inquiry on Twitter. The link on VirusTotal shows that an archive file AstraLocker was uploaded.

AstraLocker Decrytors on VirusTotal
AstraLocker Decrytors on VirusTotal

However, this archive is marked as malicious by 42 virus scanners. I was also unsure because the previous blog post AstraLocker 2.0: Infection via Word attachment said that people probably had limited skills for running a ransomware platform. So just off the top of my head, I rhymed that the comment could also be an attempt at "dumbing down". Just put the ransomware in a ZIP archive and upload it somewhere, hoping that people will fall for it. The ZIP archive in question can be downloaded in a certain version from this Swiss website. It was uploaded by the colleagues from Bleeping Computer. .


Bleeping Computer: AstraLocker shots down

Now, the threat actor behind AstraLocker has probably contacted Bleeping Computer and told them that it is ceasing its operations in the ransomware sector. They want to focus on cryptojacking, i.e. the theft of crypto assets from corresponding accounts. The colleagues quote the ransomware developer within their article AstraLocker ransomware shuts down and releases decryptors as:

It was fun, and fun things always end sometime. I'm closing the operation, decryptors are in zip files, clean. I will come back. I'm done with ransomware for now. I'm going in cryptojaking lol.

The actor's says, that the files with the decryptors are clean, even though they are marked as malicious on VirusTotal. BleepingComputer has downloaded the archive and confirmed that the decryptors are legitimate and work. They have tested a decryptor on files encrypted in a recent AstraLocker campaign. However, there are probably a number of decryptors, some of which may have been intended for previous campaigns. The colleagues have published some more details in the article and guess that the sudden attention from media might have been too hot for the actor.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

One Response to AstraLocker terminates activities and releases Decryptor

  1. AstraLocker says:

    Not really because of the law enforcement agencies, I did everything with high level of anonymity, the drives were encrypted. Also, im too young to go to jail, so they cant do much to me :)
    One of the reasons I shared the decryptors was because it was claimed that I couldn't decrypt encrypted files which wasn't true (that's funny, use an old exploit and you'll be popular :))
    The only thing I lost from all this fame was access to my tutanota mail which got terminated lol
    I am currently working on version 3.0, but I think it will be under a different name
    As I said before, fame isnt my goal. I just want money.

Leave a Reply

Your email address will not be published. Required fields are marked *