AstraLocker 2.0 – Smash and Grab attacks

AstraLocker 2.0 – Smash and Grab attacks

In 2021, Security researchers from ReversingLabs tracked a relatively unknown malware which was later named AstraLocker. The latest version of AstraLocker, meanwhile, was first observed in March 2022. Rather than the “Low and Slow” methodology that is common among sophisticated ransomware groups, this virus is so unique that it acts immediately after it a user opens the malicious file.

Version 2.0 was directly distributed from Microsoft office files used as bait in phishing attacks. The underlying code for AstraLocker 2.0 is likely to be obtained from a leak of Babuk Ransomware in 2021. Shared code and marketing markings are the ties between the two campaigns, and a Monero wallet address offered for ransom payment is connected to the Chaos Ransomware gang.

The affected files will have a “.AstraLocker” extension with its file name. for example, a word document with the title “sample.docx” will become “sample.docx.AstraLocker”. In every folder containing the encoded files, a Recover_Your_Files.html text file will be found. It is a ransom money memo. You can learn there how to get in touch with the racketeers as well as other information. Instructions on how to buy the decryption tool from the hackers are possibly included in the ransom note.

The below image shows how encrypted “.AstraLocker” files look.

Source: How to fix guide

For the AstraLocker virus to get into your system, there are 3 detected popular ways. They are spam emails, Trojan Injection, and Peer networks.

Emails from unknown senders may sometime escape your spam box and no matter how legitimate it seems, opening any documents from unverified senders are never recommended. Other than emails, bad actors might use Trojan horses to infiltrate your machine by disguising it as something legal. As for the peer networks like torrent trackers, you never know what you are downloading unless you finish the download. So, when using such services, always use trustworthy resources. Additionally, as soon as the downloading is complete, it makes sense to run an antivirus scan on the folder holding the downloaded goods.

Steps to Remove AstraLocker virus

It is always better to stay proactive than to be reactive.

One of the best choices is to have OS restore points or keep the copies of important/sensitive files in the cloud or external storage. Even that might not work as expected as you might still lose the last file you were working on at the time of the attack. It is always recommended to keep an antivirus program in your system and to run the test regularly and mandatorily whenever you perform an OS rollback.

Also, thoroughly go through readme-files in the encrypted files because there are cases reported with attackers accidentally sharing the decrypting key in them. But this is only a rare chance that you should never expect to happen.

Important to note: Along with encrypting your files, the AstraLocker virus will probably install the Azorult Spyware on your computer to steal your login information for other accounts. That application can obtain your login information via the auto-fill information in your browser.

Myth buster:  AstraLocker 2.0 ransomware has no endless power, and neither does any similar malware.

Announcement: A free decryptor released for AstraLocker and Yashma ransomware