Cybersecurity firm Emsisoft has released free decryptor tools for AstraLocker, a “smash-and-grab” ransomware family that was recently retired.
Initially spotted in 2021, AstraLocker is a fork of Babuk ransomware, which had its source code leaked online in September 2021. A second major version of AstraLocker made an appearance in March 2022.
What made this ransomware stand out in the crowd was the use of a “smash-and-grab” attack technique, where the malicious payload was dropped directly from email attachments, without the typical intermediate steps and without any pre-attack reconnaissance.
The attackers used Microsoft Word documents as lures, with the ransomware embedded as an OLE object, and asked potential victims to make multiple additional clicks to activate the malware.
The ransomware was seen killing processes that might interfere or with the encryption operation, and enumerating all drives and network shares to encrypt data on them.
[ READ: Decryptor Released for Notorious DarkSide Ransomware ]
Over the 4th of July weekend, the threat actor behind AstraLocker announced plans to shut down the operation, and also submitted to VirusTotal an archive containing decryptors for the malware.
Less than a week later, security researchers at Emsisoft released free decryption tools to help victims of AstraLocker ransomware recover their data.
“The AstraLocker decryptor is for the Babuk-based one using .Astra or .babyk extension, and they released a total of 8 keys. The Yashma decryptor is for the Chaos-based one using .AstraLocker or a random .[a-z0-9]{4} extension, and they released a total of 3 keys,” Emsisoft said.
The AstraLocker decryptor targets files encrypted with the first AstraLocker version, while the Yashma decryptor targets files encrypted with AstraLocker 2.0.
Emsisoft recommends that the malware is first quarantined on the system, to prevent any potential recurring encryption, and the use of an antivirus tool that can successfully detect the AstraLocker ransomware.
“If your system was compromised through the Windows Remote Desktop feature, we also recommend changing all passwords of all users that are allowed to login remotely and check the local user accounts for additional accounts the attacker might have added,” the companys said.
Related: Researchers Devise Method to Decrypt Hive Ransomware-Encrypted Data
Related: Free Decryptor Released for BlackByte Ransomware
Related: Decryptor Released for Notorious DarkSide Ransomware