Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Free Decryptors Released for AstraLocker Ransomware

Cybersecurity firm Emsisoft has released free decryptor tools for AstraLocker, a “smash-and-grab” ransomware family that was recently retired.

Cybersecurity firm Emsisoft has released free decryptor tools for AstraLocker, a “smash-and-grab” ransomware family that was recently retired.

Initially spotted in 2021, AstraLocker is a fork of Babuk ransomware, which had its source code leaked online in September 2021. A second major version of AstraLocker made an appearance in March 2022.

What made this ransomware stand out in the crowd was the use of a “smash-and-grab” attack technique, where the malicious payload was dropped directly from email attachments, without the typical intermediate steps and without any pre-attack reconnaissance.

The attackers used Microsoft Word documents as lures, with the ransomware embedded as an OLE object, and asked potential victims to make multiple additional clicks to activate the malware.

The ransomware was seen killing processes that might interfere or with the encryption operation, and enumerating all drives and network shares to encrypt data on them.

[ READ: Decryptor Released for Notorious DarkSide Ransomware ]   

Over the 4th of July weekend, the threat actor behind AstraLocker announced plans to shut down the operation, and also submitted to VirusTotal an archive containing decryptors for the malware.

Less than a week later, security researchers at Emsisoft released free decryption tools to help victims of AstraLocker ransomware recover their data.

“The AstraLocker decryptor is for the Babuk-based one using .Astra or .babyk extension, and they released a total of 8 keys. The Yashma decryptor is for the Chaos-based one using .AstraLocker or a random .[a-z0-9]{4} extension, and they released a total of 3 keys,” Emsisoft said.

The AstraLocker decryptor targets files encrypted with the first AstraLocker version, while the Yashma decryptor targets files encrypted with AstraLocker 2.0.

Emsisoft recommends that the malware is first quarantined on the system, to prevent any potential recurring encryption, and the use of an antivirus tool that can successfully detect the AstraLocker ransomware.

“If your system was compromised through the Windows Remote Desktop feature, we also recommend changing all passwords of all users that are allowed to login remotely and check the local user accounts for additional accounts the attacker might have added,” the companys said.

Related: Researchers Devise Method to Decrypt Hive Ransomware-Encrypted Data

Related: Free Decryptor Released for BlackByte Ransomware

Related: Decryptor Released for Notorious DarkSide Ransomware  

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.