AstraLocker Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 20 Jul 2022 12:26:10 +0000 en-US hourly 1 https://wordpress.org/?v=67434 200474804 Emsisoft Released a Free Tool to Decrypt Data Corrupted by AstraLocker and Yashma https://gridinsoft.com/blogs/astralocker-and-yashma-decryption-tool/ https://gridinsoft.com/blogs/astralocker-and-yashma-decryption-tool/#respond Wed, 13 Jul 2022 12:25:59 +0000 https://gridinsoft.com/blogs/?p=9360 Emsisoft has released a free decryption tool for files affected by AstraLocker and Yashma ransomware attacks. Let me remind you that last week AstraLocker operators announced that the malware was ending its work and uploaded tools to VirusTotal to decrypt files affected by AstraLocker and Yashma attacks. The hackers said that they do not plan… Continue reading Emsisoft Released a Free Tool to Decrypt Data Corrupted by AstraLocker and Yashma

The post Emsisoft Released a Free Tool to Decrypt Data Corrupted by AstraLocker and Yashma appeared first on Gridinsoft Blog.

]]>
Emsisoft has released a free decryption tool for files affected by AstraLocker and Yashma ransomware attacks.

Let me remind you that last week AstraLocker operators announced that the malware was ending its work and uploaded tools to VirusTotal to decrypt files affected by AstraLocker and Yashma attacks. The hackers said that they do not plan to return to ransomware in the future, but intend to switch to cryptojacking.

It was fun, but fun always ends. I close the whole operation, decryptors in ZIP files, clean. I’ll be back. I’m done with ransomware for now and I’m going to get into cryptojacking lol.hackers sadly reported.

Let me remind you that we also said that Free decryptor for BlackByte ransomware was published, and also that Cybersecurity specialists released a free decryptor for Lorenz ransomware.

While the malware developer did not disclose why AstraLocker suddenly stopped working, media outlets have speculated that this may be due to recently published reports from cybersecurity experts who have studied this malware. This could bring AstraLocker to the attention of law enforcement.

Using the published data, Emsisoft experts have created a free tool to rescue affected information, which is already available for download from the company’s servers. Also, experts have prepared instructions for using their decryptor.

The AstraLocker decryptor is for the Babuk-based threat and files with the extension .Astra or .babyk, (8 keys were released in total). The Yashma decryptor targets a Chaos-based threat using .AstraLocker extensions or random extensions in the .[a-z0-9]{4} format (3 keys released in total).the experts write.

AstraLocker and Yashma decryption tool

Emsisoft also recommends that victims of AstraLocker and Yashma whose systems have been compromised via Windows Remote Desktop change passwords for all accounts with remote access permissions, as well as look for other local accounts that may have been added by hackers.

The post Emsisoft Released a Free Tool to Decrypt Data Corrupted by AstraLocker and Yashma appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/astralocker-and-yashma-decryption-tool/feed/ 0 9360
AstraLocker Ransomware Operators Publish File Decryption Tools https://gridinsoft.com/blogs/astralocker-ransomware-operators/ https://gridinsoft.com/blogs/astralocker-ransomware-operators/#respond Wed, 06 Jul 2022 09:11:22 +0000 https://gridinsoft.com/blogs/?p=9179 AstraLocker ransomware operators have announced that the malware is ending its work and have uploaded data decryption tools to VirusTotal. The hackers say that they do not plan to return to ransomware in the future, but intend to switch to cryptojacking. The Bleeping Computer reports that it has already studied the archive published by the… Continue reading AstraLocker Ransomware Operators Publish File Decryption Tools

The post AstraLocker Ransomware Operators Publish File Decryption Tools appeared first on Gridinsoft Blog.

]]>
AstraLocker ransomware operators have announced that the malware is ending its work and have uploaded data decryption tools to VirusTotal. The hackers say that they do not plan to return to ransomware in the future, but intend to switch to cryptojacking.

The Bleeping Computer reports that it has already studied the archive published by the attackers and confirms that the decryptors are real and really help to decrypt the affected files.

Let me remind you that we also said that Free decryptor for BlackByte ransomware was published, and also that Cybersecurity specialists released a free decryptor for Lorenz ransomware.

Journalists note that they tested only one decryptor, which successfully decrypted files blocked during one of the AstraLocker campaigns. The other decryptors in the archive are apparently designed to decrypt files damaged during previous campaigns.

AstraLocker ransomware operators
Archive content

The journalists also managed to get a comment from one of the malware operators:

It was fun, but fun always ends. I close the whole operation, decryptors in ZIP files, clean. I’ll be back. I’m done with ransomware for now and I’m going to get into cryptojacking lol.

Although the malware developer did not say why AstraLocker suddenly stopped working, journalists believe that this may be due to recently published reports by security experts who studied the malware. This could bring AstraLocker to the attention of law enforcement.

Emsisoft, a company that helps ransomware victims recover data, is currently developing a universal decryptor for AstraLocker, which should be released in the near future.

What will we no longer see in the criminal world?

Threat intelligence firm ReversingLabs recently reported that AstraLocker used a somewhat unusual method of encrypting its victims’ devices compared to other strains of ransomware.

Instead of first compromising the device (hacking it or buying access from other attackers), the AstraLocker operator will directly deploy the payload from email attachments using malicious Microsoft Word documents.

The honeypots used in the AstroLocker attacks are documents that hide an OLE object with a ransomware payload that will be deployed after the target clicks “Run” in the warning dialog displayed when the document is opened.

Before encrypting files on a compromised device, the ransomware will check to see if it is running on a virtual machine, terminate processes, and stop backup and antivirus services that could interfere with the encryption process.

Based on analysis by ReversingLabs, AstraLocker is based on the leaked source code of Babuk Locker (Babyk) ransomware, a buggy yet still dangerous strain that came out in September 2021.

Also, one of the Monero wallet addresses in the AstraLocker ransom note was also linked to the operators of the Chaos ransomware.

The post AstraLocker Ransomware Operators Publish File Decryption Tools appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/astralocker-ransomware-operators/feed/ 0 9179