Victims Received Free Decryptor from Hackers
Free AstraLocker and Yashma Ramsomware Keys
Criminal hackers behind the AstraLocker ransomware attacks recently perform a feat that is utterly unheard of from threat actors on the dark web. The Bleeping Computer website made a stunning revelation that its cyber analysts’ team was contacted by the creator of the ransomware, who revealed that they have released the decryptor keys.
With their kind gesture, victims can download released files containing the decryptor keys to fix compromised computer networks. The availability of the ransomware keys was made public, since the criminal hackers claimed that they have moved on to bigger and more profitable hacks such as crypto mining. The AstraLocker ransomware attackers told BleepingComputer that they had officially shut down the group’s ransomware operation.
Announcing that they were switching to illegal crypto mining, the dark web hackers stated,” The good things in life always come to an end. Decryptors are clean and in zip files.” In addition, the creator of the AstraLocker ransomware publicly informed, “I’m currently finished with ransomware. I’m going to the cryptojacking….. LOL.”
After the hacker’s crude announcement, the AstraLocker and Yashma decryptors immediately appeared on the VirusTotal platform that offers malware analytical reports. The uploaded file shared by the ransomware hacker was released in a zip folder.
AstraLocker and Yashma Decryptor Instructions
The free decryption tool is now available to victims with the assistance of New Zealand’s cyber security company Emsisoft. Companies that have been targeted by the AstraLocker and Yashma ransomware hackers were able to release the decrypted files without forking over a hefty ransom to the threat actors.
With the announcement released by the security team, they advised victims that they can recover encrypted files with the free downloadable program from Emsisoft’s servers. A PDF file for the Yashma and AstraLocker ransomware was also provided with simple instructions to operate the hackers’ decryption keys.
The Emsisoft analysts also warned that quarantining affected network systems must be done to properly remove the malicious malware. Thus, preventing re-contamination of computer systems, whereby the malware continuously performs unauthorized encryption on important files.
“The decryptor by default re-populates all drives that are currently linked to the infected local network system. The ‘Add’ button adds more places. If the decrypted files are not similar, the decryptor keys allow the preservation of the encrypted files as a failsafe.”
Other Ransomware Decryptor Keys
Additionally, Emsisoft explained, “The AstraLocker decryptor is for the Babuk-based one using .Astra or .babyk extension, a total of 8 decryptor keys were released by the hackers. Three keys were identified for the Chaos-based Yashma decryptor, which uses the .AstraLocker or a random.[a-z0-9]4 extension.
The Emsisoft team urged AstraLocker and Yashma victims to reset all Windows Remote Desktop passwords. And check for malware on remote access accounts that the criminal hackers may have infiltrated and installed their harmful ransomware.
Notably, in the past, some ransomware hacking groups have released decryption tools for the following ransomware Ragnarok, Avaddon, SynAck, AES-NI, Shade, FilesLocker, TeslaCrypt, Crysis, Ziggy, and FonixLocker.