[MART] - Daily Diary #544 - AstraLocker Ransomware Decryptors Available

CTAS-MAT ctas-mat at appgate.com
Mon Jul 4 23:08:12 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

07/04/2022 - Diary entry #544:

In our Daily Diary #342, we covered Babuk’s ransomware leak. AstraLocker is one of the many ransomware created by forking from Babuk’s original code. AstraLocker’s threat actors are believed to be tied with Chaos ransomware.

Recently, a new campaign of AstraLocker gained attention due to their rapid attacks delivering a new version of the malware, called AstraLocker 2.0. In this campaign, the payload was delivered directly as email attachments, packed with a very outdated software named SafeEngine Shielder.

Right after this campaign went public, one of the (supposedly) ransomware's developer submitted to VirusTotal a ZIP file containing AstraLocker’s decryptors from different campaigns. The threat actor then contacted a media outlet saying they were shutting down the operation and planning to switch to crypto jacking.

It’s not clear if this incident really means AstraLocker is shutting down its own operation, or if it was internal sabotage. As we have seen before, it is common and it has become a strategy used by Ransomware groups that are shut down either by law enforcement or after drawing too much media attention, to have their affiliates move to other operations such as an existing one or a complete rebranding. Therefore, even if AstraLocker cybercrime group really decided to shut down, it’s very much likely that some members will move to other groups.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220704/04108367/attachment.htm>

More information about the MART mailing list