Considering the timing of the announcement, it is highly likely this shutdown was driven largely by recent exposure. As we reported last Thursday, researchers have recently analyzed and reported on the ransomware’s unique attack strategy, calling it a “smash-and-grab” style attack. Due to the low impact (one system at a time) and low decryption cost ($50 per system), it appears the threat actor running the campaign was attempting to keep a low profile and, now that they are in the public eye, are buying some goodwill before returning to the shadows.
It is worth noting that while the decryptors for previously infected systems have been released, any new infections are not guaranteed to have a functional decryptor. Until Emsisoft releases their universal decryptor, take extra care when handling AstraLocker malware. Also, while there are several examples of previous threat actors that have released decryptors, companies should not rely on their goodwill to recover critical information. Where possible, maintain regular out-of-band backups and implement application allow-listing to reduce the risk of ransomware.
New AstraLocker Ransomware Version Being Distributed Directly from Phishing Attachments