Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?


Application Security

Free Decryptors Released for AstraLocker Ransomware

Cybersecurity firm Emsisoft has released free decryptor tools for AstraLocker, a “smash-and-grab” ransomware family that was recently retired.

Cybersecurity firm Emsisoft has released free decryptor tools for AstraLocker, a “smash-and-grab” ransomware family that was recently retired.

Initially spotted in 2021, AstraLocker is a fork of Babuk ransomware, which had its source code leaked online in September 2021. A second major version of AstraLocker made an appearance in March 2022.

What made this ransomware stand out in the crowd was the use of a “smash-and-grab” attack technique, where the malicious payload was dropped directly from email attachments, without the typical intermediate steps and without any pre-attack reconnaissance.

The attackers used Microsoft Word documents as lures, with the ransomware embedded as an OLE object, and asked potential victims to make multiple additional clicks to activate the malware.

The ransomware was seen killing processes that might interfere or with the encryption operation, and enumerating all drives and network shares to encrypt data on them.

[ READ: Decryptor Released for Notorious DarkSide Ransomware ]   

Over the 4th of July weekend, the threat actor behind AstraLocker announced plans to shut down the operation, and also submitted to VirusTotal an archive containing decryptors for the malware.

Less than a week later, security researchers at Emsisoft released free decryption tools to help victims of AstraLocker ransomware recover their data.

Advertisement. Scroll to continue reading.

“The AstraLocker decryptor is for the Babuk-based one using .Astra or .babyk extension, and they released a total of 8 keys. The Yashma decryptor is for the Chaos-based one using .AstraLocker or a random .[a-z0-9]{4} extension, and they released a total of 3 keys,” Emsisoft said.

The AstraLocker decryptor targets files encrypted with the first AstraLocker version, while the Yashma decryptor targets files encrypted with AstraLocker 2.0.

Emsisoft recommends that the malware is first quarantined on the system, to prevent any potential recurring encryption, and the use of an antivirus tool that can successfully detect the AstraLocker ransomware.

“If your system was compromised through the Windows Remote Desktop feature, we also recommend changing all passwords of all users that are allowed to login remotely and check the local user accounts for additional accounts the attacker might have added,” the companys said.

Related: Researchers Devise Method to Decrypt Hive Ransomware-Encrypted Data

Related: Free Decryptor Released for BlackByte Ransomware

Related: Decryptor Released for Notorious DarkSide Ransomware  

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights