News broke on 5 July 2022 that the operators of AstraLocker Ransomware were shutting down in favor of pursuing a new cryptojacking campaign. The group shared decryptors with VirusTotal, and according to BleepingComputer the decryptors worked on test files that were recently encrypted by the ransomware. AstraLocker was born out of the Babuk ransomware family. In the Summer of 2021 Babuk ransomware group’s code was leaked and the similarities between the leaked code and AstraLocker’s code point to AstraLocker being a fork of Babuk. 
AstraLocker 2.0 was first observed in March of 2022 and its behavior stood out from normal ransomware activities in several ways. While most ransomware organizations rely on stealth and cunning to infect systems on a target network, the operators behind AstraLocker 2.0 do not employ the same discipline and patience. Rather than gaining initial access and moving laterally like groups including Conti, Cl0p, or Hive, AstraLocker 2.0 sends a phishing email with the malicious payload in an attached word document. The Word Document includes an object linking and embedding (OLE) object with the ransomware payload embedded into an executable named “WordDocumentDOC.exe.” In order to infect the machine the ransomware relies on the victim clicking the embedded file and then clicking “Run.”
The image from ReversingLabs shows what a victim would see when they download the attached word document and how the user would need to interact with the document to activate the payload. AstraLocker relies heavily on user interaction and a lack of awareness on the victim end to infect target machines demonstrating the importance of cybersecurity awareness training as a preventative measure.
The brute force of a smash and grab attack exemplified by the tactics of AstraLocker 2.0 is juxtaposed by the need to avoid detection once installed. To avoid antivirus and other security systems within the target environment AstraLocker 2.0 uses the SafeEngine shielden v126.96.36.199 protector. According to ReversingLabs this makes reverse engineering difficult as the protector is outdated. The protector obfuscates the flow of the malware by injecting indirect jumps every 5-7 instructions. The packer also checks running processes to determine if it is in a sandbox or analysis environment.
AstraLocker 2.0 follows traditional ransomware tactics to disable anti-malware and other security tools. According to ReversingLabs the processes targeted by the malware include:
vss, sql, svc$, memtas, mepocs, sophos, veeam, backup, GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, RTVscan, QBFCService, QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, YooBackup, YooIT, zhudongfangyu, stc_raw_agent, VSNAPVSS, VeeamTransportSvc, VeeamDeploymentService, VeeamNFSSvc, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, AcrSch2Svc, AcronisAgent, CASAD2DWebSvc, CAARCUpdateSvc.
These processes are associated with security services from Sophos, Norton AntiVirus, and Veeam, among others.
AstraLocker 2.0 also tries to disable applications that could interfere with the malware’s encryption process, according to ReversingLabs these processes include:
sql.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefox.exe, tbirdconfig.exe, mydesktopqos.exe, ocomm.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe, notepad.exe
AstraLocker 2.0 encrypts target files with using the Curve25519 algorithm and either appends .bayk, .AstraLocker, .piton, or .Astra to the end of the files.
The AstraLocker developer announced the change from operating a ransomware platform to a cryptojacking operation in an interview with Bleeping Computer, saying “"It was fun, and fun things always end sometime. I'm closing the operation, decryptors are in zip files, clean. I will come back," AstraLocker's developer said, “I'm done with ransomware for now. I'm going in cryptoja[c]king lol." This announcement came following public acknowledgement of AstraLocker 2.0 as a threat to organizations and is likely a change of gears to avoid heat from authorities.
From the sample AstraLocker 2.0 infections and corresponding ransom notes, the group was asking for around $50.00USD for the decryption software, meaning it would take a substantial number of compromised systems for the ransomware to be lucrative. Cryptojacking on the other hand is the use of victim computing resources to mine cryptocurrencies and is a more passive type of attack which is less likely to be detected. Perhaps the AstraLocker developer is looking for more sustainable income with a lower risk of detection.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings