AstraLocker ransomware actor has announced to quit its operation and shared decryptors with the VirusTotal malware analysis platform. It was based on the source code of the Babuk Locker that had suffered a major leak last year.

Last week, a new version of AstraLocker was detected spreading directly through Microsoft Office files, and was dubbed AstraLocker 2.0.

Making the headlines

Bleeping computer was first informed about this decision by the AstraLocker group.
  • The downloaded sample for decryptors was found to be authentic.
  • The reason behind the AstraLocker shutdown isn’t much clear but the hacker group has provided a hint for shifting toward cryptojacking.
  • However, some of the speculations are that the group feared some action by global law enforcement.

A background on AstraLocker

  • The attackers behind AstraLocker are believed to have obtained the underlying code from the Babuk code leak that happened in June 2021. Links between Babuk and recent campaigns include shared code and campaign markers.
  • A Monero wallet address listed for a ransom payment in AstraLocker’s ransom note has been linked with Chaos ransomware.
  • Instead of first compromising the device (either through hacking it or buying access from elsewhere), AstraLocker's operator would attempt to deploy the payloads directly via maldocs attached to emails.

Universal decryptor on the way

Emsisoft is planning to soon roll out a universal decryptor for AstraLocker ransomware, which is currently in the works.


There’s an uncertainty about what turn this disclosure may take. Still, organizations are suggested to work with threat intel solutions to be aware of the actor’s next step. It shall help them take time-critical decisions.
Cyware Publisher