Researchers discovered the latest verison of AstraLocker ransomware is engaged in so-called smash and grab ransomware operation.
In a typical ransomware attack, threat actors jump into a victim’s network via a trojan that has already infected a computer, by exploiting a software vulnerability on an Internet-facing server, or with stolen RDP credentials. They then make their way silently to devices and servers where important data is stored.
Anything of value is stolen and sent outside of the network. When the attacker is good and ready, ransomware is deployed, encrypting the files on the machines and rendering them useless. From here, double or even triple threat extortion is deployed. This method is most successful.
But AstraLocker is not a major ransomware family, and it doesn’t follow other foot steps. Instead it will arrive and encrypts.
It starts as a rogue Word document attached to an email. The payload lurking in the document is an embedded OLE object. Triggering the ransomware requires the victim to double click the icon within the document, which comes with a security warning. As researchers note, this isn’t as slick a process as the recent Follina vulnerability, or even misusing macros.
AstraLocker still manages to do some standard ransomware things: It tries to disable security programs; it also stops applications running that might prevent encryption from taking place; and it avoids virtual machines, which might indicate it’s being run by researchers in a lab.
The cost of their decryption software is about $50 USD, payable via Monero or Bitcoin. There is some question as to who the author of this version of AstraLocker is, as the email addresses tied to the original campaign have been replaced. This is where the circle of trust falls apart.
There is currently no way to ask the ransomware author for the decryption tool. Unless some sort of update is forthcoming, this is the quickest way you’ll ever lose both your files and $50.