The developer of the AstraLocker ransomware code has reportedly ceased operations and is drawing attention to the much simpler art and crime of cryptojacking.
AstraLocker appears to be a spin-off of the Babuk Locker ransomware-as-a-service gang, whose source code was leaked last year. Both were identified in 2021. The developer of AstraLocker wrote one ZIP folder which contains decryptions for AstraLocker ransomware via VirusTotal, such as Bleeping Computer sa are legitimate.
The decision to shut down and release some kind of antidote comes after ReversingLabs last week detailed the latest version of ransomware – AstraLocker 2.0 – which had some interesting features and amid reports that Emsisoft is working on a universal decryption for Windows malware.
At the same time, governments around the world, including the United States, have stepped up efforts to shut down certain ransomware operations and make arrests as ransomware campaigns continue to grow in number and visibility.
As more attention is paid to AstraLocker, file encryption operators may have become apprehensive that they will soon come under official scrutiny, prompting their decision to shut down. It is said that the manufacturer of the software switches to cryptojacking, where compromised devices are quietly instructed to break the cryptocurrency of the crooks as opposed to encrypting documents and demanding a ransom.
According to ReversingLabs’ write upAstraLocker 2.0 ransomware is distributed directly from Microsoft Office files that victims are tricked into opening.
Joseph Edwards, senior malware researcher at ReversingLabs, wrote that “the smash and grab attack method as well as other features suggest that the attacker behind this malicious software is low-skilled and wants to cause disruption, compared to the more patient, methodical and saturated method. to compromises used by Babuk and other, more sophisticated ransomware outfits. “
The approach used with AstraLocker 2.0 “underscores the risk of organizations following code leaks such as the one affecting Babuk, as a large population of low-skilled and highly motivated actors exploit the leaked code for use in their own attacks,” Edwards added.
The Babuk source code was leaked in September 2021 and ReversingLabs said that shared code and campaign markers link AstraLocker and Babuk. In addition, the researcher wrote that a Monero cryptocurrency wallet address listed by AstraLocker for redemption payments is linked to the Chaos ransomware gang.
Babuk appeared in early 2021 and was linked to a number of high-profile infections, including one in April 2021 that meet Metropolitan Police Department in Washington DC. AstraLocker ransomware appeared around the same time as Babuk’s code was leaked. AstraLocker 2.0 was discovered in March this year. According to ReversingLabs Edwards, the latest version was unusual because the attackers sent out ransomware to the victims immediately after opening a malicious file attachment that was the bait of the campaign.
“Usually, affiliate hackers avoid launching ransomware early, but instead choose to push files that allow them to expand their reach within the target environment,” he wrote. “Ransomware is distributed almost invariably last, after compromising with the victim’s domain controllers, allowing cybercriminals to use the domain controller (for example: Active Directory) to deploy a Group Policy object and encrypt all hosts in the affected domains.”
However, it takes a few clicks for victims to open the malicious attachment to execute malware because the payload is stored in an OLE object (object linking and embedding). The user must double-click the icon in the document and agree to run an embedded executable file named “WordDocumentDOC.exe.”
“Demanding so much user interaction increases the chances that victims will think twice about what they do,” Edwards wrote. “This is one reason why OLE objects see less use in the delivery of malware, as opposed to the more popular VBA macro-infection method, which only requires the user to enable macros to run.”
Other unusual aspects of AstraLocker 2.0 included using Safengine Shielden v126.96.36.199, an outdated packer that made it difficult for ReversingLabs samples to reverse construct, and using evasion tactics such as checking if the host is a virtual machine. Malware also tries to disable applications that could block or interfere with the data encryption process.
Edwards noted that in hastily launched smash-and-grab attacks, it is easy for cybercriminals to make mistakes. In the case of AstraLocker 2.0, the attacker has “no ability to issue the decryption device to victims even if a ransom is paid. This makes this attack both ruthless and destructive,” he wrote.
How AstraLocker operators’ exit from the ransomware scene will affect victims of AtraLocker 2.0 is still unclear. However, it is not uncommon for ransomware groups to offer decryption keys when they shut down. Other groups, including Ragnorak, FilesLocker, Crysis and Avaddon have done the same. ®
#AstraLocker #ransomware #closes #doors #conduct #cryptojacking