The developer of the AstraLocker ransomware code is reportedly ceasing operations and turning attention to the far simpler art and crime of cryptojacking.
AstraLocker seems to be an offshoot of the Babuk Locker ransomware-as-a-service gang, whose source code was leaked last year. Both were identified in 2021. The developer of AstraLocker posted a ZIP folder containing decryptors for the AstraLocker ransomware via VirusTotal, which Bleeping Computer said are legit.
The decision to shut down, and release an antidote of sorts, comes after ReversingLabs last week detailed the latest version of the ransomware – AstraLocker 2.0 – that had some interesting quirks and amid reports that Emsisoft is working on a universal decryptor for the Windows malware.
At the same time, governments around the world, including the United States, have ramped up efforts to shutter some ransomware operations and make arrests as ransomware campaigns continue to grow in number and visibility.
As more attention is paid to AstraLocker, the operators of the file-scrambling nasty may have grown concerned that they would soon come under official scrutiny, fueling their decision to shut down operations. It’s said that the maker of the software is switching to cryptojacking, in which compromised devices are quietly instructed to mine cryptocurrency for the miscreants as opposed to encrypting documents and demanding a ransom.
According to ReversingLabs’ write-up, the AstraLocker 2.0 ransomware is distributed directly from Microsoft Office files that victims are tricked into opening.
Joseph Edwards, senior malware researcher at ReversingLabs, wrote that the “smash and grab attack methodology as well as other features suggest the attacker behind this malware is low-skill and looking to cause disruption, compared with the more patient, methodical, and measured approach to compromises used by Babuk and other, more sophisticated ransomware outfits.”
The approach used with AstraLocker 2.0 “underscores the risk posed to organizations following code leaks like that affecting Babuk, as a large population of low-skill, high-motivation actors leverage the leaked code for use in their own attacks,” Edwards added.
The Babuk source code was leaked in September 2021 and ReversingLabs said shared code and campaign markers link AstraLocker and Babuk. In addition, the researcher wrote that a Monero cryptocurrency wallet address listed by AstraLocker for ransom payments is tied to the Chaos ransomware gang.
Babuk emerged in early 2021 and was linked to a number of high-profile infections, including one in April 2021 that hit the Metropolitan Police Department in Washington DC. The AstraLocker ransomware appeared at about the same time that Babuk’s code was leaked. AstraLocker 2.0 was detected in March this year. According to ReversingLabs’s Edwards, the latest version was unusual in that the attackers pushed ransomware to victims immediately after they opened a malicious file attachment that was the bait in the campaign.
“Typically, affiliate threat actors avoid pushing ransomware early, opting instead to push files that allow them to expand their reach within the target environment,” he wrote. “Ransomware almost invariably is deployed last, after compromising the victim’s Domain Controller(s), which enables the cybercriminals to use the domain controller (for example: Active Directory) to deploy a group policy object and encrypt all hosts in the affected domains.”
However, it takes a few clicks for victims who open the malicious attachment to execute the malware because the payload is stored in an OLE (object linking and embedding) object. The user must double click on the icon in the document and consent to running an embedded executable named “WordDocumentDOC.exe.”
“Requiring so much user interaction increases the chances that victims will think twice about what they’re doing,” Edwards wrote. “That’s one reason OLE objects see less use in malware delivery, as opposed to the more popular VBA macro infection method, which only requires the user to enable macros in order to execute.”
Other unusual aspects of AstraLocker 2.0 included using Safengine Shielden v126.96.36.199, an outdated packer that made the samples ReversingLabs had difficult to reverse engineer, and employing evasion tactics such as checking if the host is a virtual machine. The malware also tries to disable applications that could block or interfere with the data encryption process.
Edwards noted that in hastily launched smash-and-grab attacks, it’s easy for cybercriminals to make mistakes. In the case of AstraLocker 2.0, the attacker “has no means of issuing the decryptor to victims even if a ransom is paid. This makes this attack both reckless and destructive,” he wrote.
How the AstraLocker operators’ exit from the ransomware scene will impact victims of AtraLocker 2.0 remains unclear. However, it’s not unprecedented for ransomware groups to offer decryptor keys when shutting down operations. Other groups, including Ragnorak, FilesLocker, Crysis and Avaddon have done the same. ®