According to Reversing Labs, the most recent version of AstraLocker is conducting a “smash and grab” ransomware attack.
The goal of smash and grab is to maximise profit as quickly as possible. Malware developers operate on the presumption that victims or security software will rapidly discover the malware, hence it is preferable to go right along to the finish line. Adware bundles made the most of this strategy in the early 2000s by charging money for hundreds of advertisements to appear on desktops as quickly as possible.
That ethos of “smash and grab” endures.
In a ransomware assault, hackers generally get access to a victim’s network via stolen Remote Desktop Protocol (RDP) credentials, a trojan that has already infected a computer, or a software weakness on a server that is accessible from the internet. Then, they stealthily travel to the computers and servers that house crucial data. Any valuable items are taken and sent outside the network. The deployment of ransomware, which encrypts the data on the workstations and renders them worthless, occurs when the attacker is fully prepared. From this point on, extortion with a double or even triple threat (blackmail plus the danger of data disclosure) is used. Attackers may halt organisations in their tracks by taking a cautious approach, which can occasionally take weeks, and demanding large ransom payments.
Since it is so effective, this method is utilised with practically all significant ransomware families.
However, AstraLocker does not perform this; it is not a significant ransomware family. (These two issues might be related.)
Click to start
AstraLocker just shows up and starts encrypting in the assaults that Reversing Labs has seen.
It first appears as a Word document that was attached to an email. An embedded OLE object is the document’s hidden payload. The victim must double-click the symbol in the document that displays a security alert in order to start the ransomware. Researchers point out that this approach is less sophisticated than the recent Follina vulnerability (which requires no user involvement) or even the usage of macros improperly (which some user interaction).
So far, so good, you may assume. There is, however, a sting in the tail.
They accept Monero or Bitcoin as payment for the “approximately $50 USD” cost of their decryption software. Since the email addresses connected to the original campaign have been changed, it is unclear who is behind this version of AstraLocker. Unfortunately, this is the point at which the circle of trust breaks down.
You may pay the ransom without any issues at all. The aspect of everything that involves producing money runs smoothly. the aspect of getting your files back? Not really. Only a portion of the new contact email address indicated above is provided.
There is presently no method to request the decryption tool from the creator of the ransomware. This is the fastest way you’ll ever lose both your data and $50, barring some kind of upgrade.
The circle of trust in this situation is more inclined to a downward curve, whether by accident or intentionally.
