Victims of AstraLocker and Yashma ransomware can now rest easy as a free decryptor has been released.
Ransomware has been significantly increasing nowadays. The damage they cause is usually rooted in the same aim, to deploy malware, breach personal data, and hold the victims for ransom money.
However, with AstraLocker and Yashma ransomware, users will no longer need to pay the threat actors to decrypt their files.
Emsisoft, a cybersecurity company located in New Zealand, has created a free decryption tool to assist victims of the ransomware families known as AstraLocker and Yashma in recovering their files without having to pay the ransom.
Users are now able to recover encrypted data by following the straightforward procedures that are provided in this usage guide after downloading the free utility from the Emsisoft servers.
AstraLocker Ransomware
AstraLocker, when compared to other types of ransomware, the encryption process that it deploys on the devices of its victims is seen as a little bit unconventional.
The operator of AstraLocker would not initially compromise the device by hacking it or buying access from other threat actors.
But rather, they would directly deploy the payloads from email attachments utilizing malicious Microsoft Word documents.
It was developed using the stolen Babuk source code. The filenames are then appended with either the ".Astra" or ".babyk" extension.
It encrypts files by employing a modified version of the HC-128 encryption method as well as Curve25519.
The malicious actors behind this ransomware reportedly told Bleeping Computer that they are in the process of closing their operation. The actors plan to switch their operations to cryptojacking.
The malicious threat actors did not provide information on why they chose to change course and shut down AstraLocker ransomware.
However, it is speculated by many that this might be most likely caused by the unexpected notoriety brought forth by recent reports that would have put the operation in the eyes of law enforcement authorities.
Yashma Ransomware
The Yashma ransomware, on the other hand, is deployed under the name "AstraLocker 2.0."
Additionally, the malware is based on the Chaos ransomware builder that uses the combination of RSA-2048 and AES-128 to encrypt the files of a victim.
The file extensions are changed to either have the ".AstraLocker" extension or a random four-character alphanumeric extension.
According to Emsisoft, "The Yashma decryptor is for the Chaos-based one using .AstraLocker or a random .[a-z0-9]{4} extension, and they released a total of 3 keys."
The Yashma decryptor is for the Chaos-based one using .AstraLocker or a random .[a-z0-9]{4} extension, and they released a total of 3 keys.
Ransomware Decryptor
For everyone needing access, Emsisoft released a full guide on how to decrypt the damage from both malware.
The cybersecurity company recommends taking the following steps first before proceeding to decrypt.
First, they highly recommend users change all of the passwords for accounts that can log in remotely.
With that, it is also best to check if there are any new user accounts that have been added to your device. The threat actors might have created them.
Second, Emsisoft recommends users quarantine the malware first before proceeding with the steps to decrypt their files.
If users do not quarantine the malware first, it may repeatedly lock their system or encrypt files. However, in case a user's current antivirus software fails to detect the malware, it can be quarantined using Emsisoft Anti-free Malware's trial version.
Related Article: Google Releases Patch for Chrome CVE-2022-2294 Exploit