AstraLocker ransomware shuts down to continue cryptojacking • The Register
The developer of the AstraLocker ransomware code has reportedly ceased operations and turned to the much simpler art and crime of cryptojacking.
AstraLocker appears to be an offshoot of the Babuk Locker ransomware-as-a-service gang, whose source code was leaked last year. Both were identified in 2021. The developer of AstraLocker released a ZIP folder containing decryptors for AstraLocker ransomware via VirusTotal, which Bleeping Computer claims are legitimate.
The decision to shut down and release some sort of antidote comes after ReversingLabs last week detailed the latest version of the ransomware – AstraLocker 2.0 – which had some interesting quirks and amid reports that Emsisoft is working on a universal decryptor for the Windows malware.
At the same time, governments around the world, including the United States, have stepped up efforts to shut down some ransomware operations and make arrests as ransomware campaigns continue to grow in number and visibility.
As more attention has been paid to AstraLocker, the operators of the file-scrambling villain may have feared that they would soon come under official scrutiny, fueling their decision to stop operations. The software maker is said to be moving into cryptojacking, in which compromised devices are quietly instructed to mine cryptocurrency for malefactors instead of encrypting documents and demanding a ransom.
According to ReversingLabs editorial staff, AstraLocker 2.0 ransomware is distributed directly from Microsoft Office files that victims are tricked into opening.
Joseph Edwards, Senior Malware Researcher at ReversingLabs, wrote that “the smash and grab attack methodology and other features suggest that the attacker behind this malware is unskilled and seeks to cause disruption, compared to the more patient, methodical and measured approach to compromises used by Babuk and other more sophisticated ransomware sets.”
The approach used with AstraLocker 2.0 “underscores the risk posed to organizations from code leaks like the one affecting Babuk, as a large population of low-skilled, highly motivated actors exploit the leaked code for use in their own attacks.” , added Edwards.
Babuk’s source code was leaked in September 2021 and ReversingLabs said the shared code and campaign markers are binding on AstraLocker and Babuk. Additionally, the researcher wrote that a Monero cryptocurrency wallet address listed by AstraLocker for ransom payments is linked to the Chaos ransomware gang.
Babuk emerged in early 2021 and was linked to a number of high-profile infections, including one in April 2021 that hit the Metropolitan Police Department in Washington DC. AstraLocker ransomware appeared around the same time Babuk’s code was leaked. AstraLocker 2.0 was detected in March this year. According to Edwards of ReversingLabs, the latest version was unusual in that attackers sent ransomware to victims immediately after opening a malicious attachment that was the bait of the campaign.
“Typically, affiliate threat actors avoid pushing ransomware early, opting instead to push files that allow them to extend their reach into the target environment,” he wrote. “Ransomware is almost invariably deployed last, after compromising the victim’s domain controller(s), allowing cybercriminals to use the domain controller (e.g. Active Directory) to deploy a GPO and encrypt all hosts in the affected domains.”
However, it takes a few clicks for victims who open the malicious attachment to execute the malware, as the payload is stored in an object linking and embedding (OLE) object. The user must double-click the icon in the document and agree to run an embedded executable named “WordDocumentDOC.exe”.
“Requiring so much user interaction increases the chances of victims thinking twice about what they are doing,” Edwards wrote. “This is one of the reasons why OLE objects are used less in malware delivery, as opposed to the more popular VBA macro infection method, which only requires the user to enable macros to s ‘execute.”
Other unusual aspects of AstraLocker 2.0 included the use of Safeengine Shielden v18.104.22.168, an outdated packer that made ReversingLabs samples difficult to reverse engineer, and the use of evasion tactics such as checking if the host is a virtual machine. The malware also tries to disable applications that may be blocking or interfering with the data encryption process.
Edwards noted that in hastily launched smash-and-grab attacks, it’s easy for cybercriminals to make mistakes. In the case of AstraLocker 2.0, the attacker “has no way to deliver the decryptor to the victims even if a ransom is paid. This makes this attack both reckless and destructive,” he wrote.
The impact of AstraLocker operators exiting the ransomware scene on AtraLocker 2.0 victims remains unclear. However, it is not unprecedented for ransomware groups to offer decryption keys when stopping operations. Other groups including Ragnorak, FilesLocker, Crysis and Avaddon have done the same. ®