On Monday, reporters announced that the threat actor behind AstraLocker ransomware is shutting down operations. They released decryptors for multiple campaigns and stated that they were done with ransomware and switching to cryptojacking. Researchers validated that at least one decryptor worked for a system encrypted by a recent campaign. The decryptors have been uploaded to VirusTotal’s malware analysis platform, bazaar.abuse.ch, and the software company Emsisoft is working on a universal solution for AstraLocker.
Considering the timing of the announcement, it is highly likely this shutdown was driven largely by recent exposure. As we reported last Thursday, researchers have recently analyzed and reported on the ransomware’s unique attack strategy, calling it a “smash-and-grab” style attack. Due to the low impact (one system at a time) and low decryption cost ($50 per system), it appears the threat actor running the campaign was attempting to keep a low profile and, now that they are in the public eye, are buying some goodwill before returning to the shadows.
It is worth noting that while the decryptors for previously infected systems have been released, any new infections are not guaranteed to have a functional decryptor. Until Emsisoft releases their universal decryptor, take extra care when handling AstraLocker malware. Also, while there are several examples of previous threat actors that have released decryptors, companies should not rely on their goodwill to recover critical information. Where possible, maintain regular out-of-band backups and implement application allow-listing to reduce the risk of ransomware.