Any daily use that we give to our computer is not exempt from being infected with all kinds of viruses or malware. Even a daily task like opening Word documents can end up giving us severe complications.
Luckily, the way this AstraLocker 2.0 malware works makes it easy to prevent… if you know how.
Dangerous, but with low chance of stinging
Although the danger of being infected with this AstraLocker 2.0 is high, it also requires a high rate of user interaction, which increases the chances that victims will think twice before executing it, as well as showing a low level skill by the attacker, according to ReversingLabs .
infected document
The operation of this malware is closely related to Babuk ransomware. In fact, it is believed based on code analysis by ReversingLabs, that this version of AstraLocker is based on the leaked source code of Babuk, a buggy but still dangerous ransomware strain that came out in September 2021.
AstraLocker 2.0 works by distribution as attachments in Microsoft Word. An OLE (Object Linking and Embedding) object appears within a document. If the user double-clicks the icon of this embedded document within another document, an installer called WordDocumentDOC.exe will be attempted to run. If this program execution is accepted, the malware will manage to encrypt all the user’s data and make regular use of the device impossible.
How to recover your files from this malware
In the event of a successful infection, something extremely complicated due to the number of suspicious steps to be carried out, you will need a tool to decrypt the data again. This is where the malware authors try to cash in and ask for a payment of 50 dollars to be paid in XMR (Monero) or Bitcoin coins to give you the decryption tool. Victims paying in Bitcoins should send the transaction ID to astralocker2@tutanota.com. The ransom note also says that there is no other way to decrypt files.
AstraLocker 2.0 ransom note
In case of being infected, AstraLocker 2.0 encrypts the files and adds the extension “.AstraLocker” or “.Astra” (depending on the variant) to the file names. Furthermore, it creates “Recover_Your_Files.html” file which contains ransom note. According to said ransom note, renaming files to change their extensions will damage them permanently.
An example of how AstraLocker 2.0 renames files: Rename “1.jpg” to “1.jpg.Astra” or “1.jpg.AstraLocker”, “2.png” to “2.png. Astra” or “2.png.AstraLocker” and so on. Indeed, trying to delete the new word from the extension does not eliminate the problem, so the infected end up needing to checkout.