AstraLocker ransomware operators recently announced they’re shutting shop and plan to focus on cryptojacking. The malicious operation’s developer also bundled decryptors for its ransomware in a ZIP archive and uploaded it on a popular malware-analysis platform.
AstraLocker members shared details of its shutdown with Bleeping Computer, who checked the contents of the decryptor archive, confirmed their legitimacy, and tested their functionality against files encrypted by the ransomware.
It’s worth mentioning that they only tested a decryptor for files locked as part of a recent campaign. However, the ZIP archive holds several decryption tools, so they likely work for a broader range of AstraLocker campaigns.
“It was fun, and fun things always end sometime. I’m closing the operation, decryptors are in zip files, clean. I will come back,” reads AstraLocker’s developer’s message. “I’m done with ransomware for now. I’m going in cryptojaking lol.”
The developer left out the reason behind AstraLocker’s sudden shutdown. The consensus is that the actors behind the operation garnered unwanted attention from law enforcement and want to fly under the radar for a while.
While not as notorious as ransomware operations such as LockBit, REvil and Conti, AstraLocker made its mark in the cybercrime underground with a rather atypical encryption technique. It preferred a direct approach and deployed payloads straight from email attachments instead of initially compromising the device as similar operations do.
The threat actors would disguise the payloads in malicious OLE objects inside decoy Microsoft Word documents. For an attack to succeed, victims needed to confirm their actions by clicking the Run button inside a warning prompt after opening the document.
Before starting to encrypt documents on the compromised device, AstraLocker performed a series of actions, including:
- Checking if it’s running inside a virtual machine
- Stop backup processes to prevent victims from recovering their files
- Killed AV services and processes that would impede the ransomware from running properly