August 14, 2022
AstraLocker and Yashma ransomware victims can recover their files for free

New Zealand-based Cybersecurity firm Emsisoft released a free decryptor tool that allows victims of the AstraLocker and Yashma ransomware to recover their files without paying a ransom.

Emsisoft’s free tool is available for download from Emsisoft’s servers, and it allows you to recover encrypted files using the easy-to-follow instructions available in this usage guide.

 Emsisoft states that the AstraLocker decryptor works for ransomware versions based on the Babuk malware that appends the .Astra or .babyk extensions to the name of the encrypted files.

“Be sure to quarantine the malware from your system first, or it may repeatedly lock your system or encrypt files,” Emsisoft warned.

The Yashma decryptor released by the company works for the Chaos-based versions using.AstraLocker or a random.[a-z0-9]{4} extension.

The ransomware decryptor will allow you to keep the files encrypted in the attack as a failsafe if the decrypted files are not identical to the original documents.

The researchers also shared a step-by-step guide to using their tool and a series of recommendations to sanitize the victims’ systems.

Emsisoft also advised AstraLocker and Yashma victims whose systems were compromised via Windows Remote Desktop to change all passwords of all users that are allowed to login remotely and check the local user accounts for additional accounts the attacker might have added.

The decryptor by default will not remove any encrypted files at the end of the decryption process, this option was implemented because the tool can’t guarantee that the decrypted data is identical to the one that was previously encrypted.

The decryptor was already released after the threat actor behind AstraLocker ransomware this week said that they’re shutting down the operation with a plan to switch to crypto mining.

AstraLocker is based on the source code of the Babuk Locker (Babyk) ransomware that was leaked online on June 2021.

Even though they did not reveal the reason behind the AstraLocker shutdown, the most likely cause to cease the operation could be the pressure by law enforcement in response to their recent attacks.

Leave a Reply

Your email address will not be published.