Astralocker
Description
AstraLocker first appeared in 2021, likely as a fork of Babuk ransomware using leaked source code. It follows a single-extortion, smash-and-grab approach: distributed directly via phishing Microsoft Word documents containing embedded OLE objects. Once executed, it kills security and backup processes, deletes shadow copies, and encrypts files using modified HC-128 and Curve25519 algorithms, appending extensions like .Astra or .babyk. A “smash-and-grab” style attack, it’s less methodical than more sophisticated campaigns—deploying ransomware immediately upon user action rather than conducting prolonged network reconnaissance. In mid-2022, the operator ceased ransomware operations, releasing decryptors and announcing a pivot to cryptojacking.
| External Analysis |
| https://www.reversinglabs.com/blog/smash-and-grab-astralocker-2-pushes-ransomware-direct-from-office-docs |
| https://www.emsisoft.com/en/ransomware-decryption/astralocker/ |
| https://www.infosecinstitute.com/resources/malware-analysis/astralocker-releases-the-ransomware-decryptors/ |
| https://heimdalsecurity.com/blog/astralocker-ransomware-goes-offline-and-makes-decryptors-available/ |