A few days after the AstraLocker ransomware released its second version, its threat operators announced that they would shut down to switch to cryptojacking instead. Moreover, the developer of AstraLocker had surrendered a ZIP file to security researchers, which consisted of the ransomware’s decryptor, aiming to aid them in threat analysis.
To test whether the sent decryptor file was working, the researchers applied it to one of AstraLocker’s encrypted files, which had eventually confirmed to function well. Other decryptors inside the file archive are said to be used for the previous encryption campaigns launched by the ransomware group.
From a message sent by the developer of AstraLocker ransomware, they mentioned turning their operations toward cryptojacking.
As the ransomware campaign of AstraLocker came to an end, its developer handed over the decryptors for all the operations they launched and confessed to switching to cryptojacking as an indication of them changing their attack scheme.
The developers have not mentioned why they are shutting down, but experts presume that it is because of the recent publicities they have been receiving, which could attract authorities into dismantling and seizing them.
By now, the decryptors are under assessment and would be distributed by a separate security organisation to help users that the AstraLocker group had recently victimised. Many threat groups, like AstraLocker, have previously surrendered decryption keys to cybersecurity teams before shutting down. Although, not every ransomware groups are open to this setup.
From the previous reports, the AstraLocker ransomware was described as practising a distinctive way of data encryption since it directly deploys the payload from an attached Word file in a malicious email sent to the victims.
Furthermore, the ransomware hides an OLE (object linking and embedding) object inside the Word file, which carries the payload to be executed on the victim’s device once they click the “Run” button in a prompt dialogue box. AstraLocker would then kill all running AV tools and check if the computer runs in a VM to ensure that the encryption process would not get disrupted.
Now that the ransomware has ceased operating, cybersecurity researchers are on the lookout for its come back, considering the stated report of its developers that soon they will be onto cryptojacking campaigns.
