Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

Free Decryptors Released for AstraLocker Ransomware

Cybersecurity firm Emsisoft has released free decryptor tools for AstraLocker, a “smash-and-grab” ransomware family that was recently retired.

Cybersecurity firm Emsisoft has released free decryptor tools for AstraLocker, a “smash-and-grab” ransomware family that was recently retired.

Initially spotted in 2021, AstraLocker is a fork of Babuk ransomware, which had its source code leaked online in September 2021. A second major version of AstraLocker made an appearance in March 2022.

What made this ransomware stand out in the crowd was the use of a “smash-and-grab” attack technique, where the malicious payload was dropped directly from email attachments, without the typical intermediate steps and without any pre-attack reconnaissance.

The attackers used Microsoft Word documents as lures, with the ransomware embedded as an OLE object, and asked potential victims to make multiple additional clicks to activate the malware.

The ransomware was seen killing processes that might interfere or with the encryption operation, and enumerating all drives and network shares to encrypt data on them.

[ READ: Decryptor Released for Notorious DarkSide Ransomware ]   

Over the 4th of July weekend, the threat actor behind AstraLocker announced plans to shut down the operation, and also submitted to VirusTotal an archive containing decryptors for the malware.

Advertisement. Scroll to continue reading.

Less than a week later, security researchers at Emsisoft released free decryption tools to help victims of AstraLocker ransomware recover their data.

“The AstraLocker decryptor is for the Babuk-based one using .Astra or .babyk extension, and they released a total of 8 keys. The Yashma decryptor is for the Chaos-based one using .AstraLocker or a random .[a-z0-9]{4} extension, and they released a total of 3 keys,” Emsisoft said.

The AstraLocker decryptor targets files encrypted with the first AstraLocker version, while the Yashma decryptor targets files encrypted with AstraLocker 2.0.

Emsisoft recommends that the malware is first quarantined on the system, to prevent any potential recurring encryption, and the use of an antivirus tool that can successfully detect the AstraLocker ransomware.

“If your system was compromised through the Windows Remote Desktop feature, we also recommend changing all passwords of all users that are allowed to login remotely and check the local user accounts for additional accounts the attacker might have added,” the companys said.

Related: Researchers Devise Method to Decrypt Hive Ransomware-Encrypted Data

Related: Free Decryptor Released for BlackByte Ransomware

Related: Decryptor Released for Notorious DarkSide Ransomware  

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...