Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

AstraLocker ransomware decryptors released by Emsisoft

Malware protection specialist Emsisoft has released free decryption tools for the AstraLocker and Yashma ransomware variants.

The decryptors were recently uploaded to the VirusTotal malware analysis platform by the ransomware’s developer after they reportedly shut down their operation in order to pivot to cryptojacking.

The AstraLocker decryptor and Yashma decryptor join a host of other decryptors made available for free by Emsisoft, a New Zealand-based outfit.

Using the decryptor

“Be sure to quarantine the malware from your system first, or it may repeatedly lock

your system or encrypt files,” reads a guide (PDF) on how to use the AstraLocker tool.

For systems compromised via Windows Remote Desktop, users are advised to change passwords for all users permitted to login remotely and check local user accounts for additional accounts the attacker might have added.

By default, the AstraLocker decryptor pre-populates locations selected for decryption from network and connected drives, but users can add other locations before initiating the decryption process.

The decryptor also defaults to leaving encrypted files in place, although users can enable automatic deletion if disk space is an issue.

“Since the ransomware does not save any information about the unencrypted files, the decryptor can’t guarantee that the decrypted data is identical to the one that was previously encrypted,” the guide warns.

BabyK offspring

AstraLocker, which emerged in 2021, is seemingly built on Babuk (or BabyK), a variant deployed via a ransomware-as-a-service (RaaS) model, according to a ReversingLabs analysis of the latter’s leaked source code.

Files are encrypted using a modified HC-128 encryption algorithm and Curve25519 cryptographic function, and .Astra or .babyk extensions are appended to encrypted files.

Yashma – or ‘AstraLocker 2.0’ – harnesses AES-128 and RSA-2048 to encrypt files and appends encrypted files with the .AstraLocker extension or a random four-character alphanumeric combination.

According to ReversingLabs, AstraLocker 2.0 is smuggled into networks via malicious Microsoft Office files.

This ‘smash and grab’ attack methodology is suggestive of a low-skill threat actor, argued Joseph Edwards, senior malware researcher at ReversingLabs.

“This underscores the risk posed to organizations following code leaks like that affecting Babuk, as a large population of low-skill, high-motivation actors leverage the leaked code for use in their own attacks.”

Advertisement. Scroll to continue reading.

Source: https://portswigger.net/daily-swig/astralocker-ransomware-decryptors-released-by-emsisoft

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Zero Trust Data Access (ZTDA) constitutes a fundamental aspect of the wider Zero Trust security framework, which entails limiting data access. The Zero Trust security approach...

Cyber Security

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich....

Cyber Security

The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in...

Cyber Security

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information. Maximus, a US government contracting...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO