{
	"id": "70a1d24b-b521-4fff-b3c9-a4c4b1089134",
	"created_at": "2026-04-06T00:15:05.627713Z",
	"updated_at": "2026-04-10T13:12:13.362442Z",
	"deleted_at": null,
	"sha1_hash": "305cb47a7f964b795ec247bf3c3fcc5a6ed5b35e",
	"title": "AstraLocker ransomware shuts down and releases decryptors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3630192,
	"plain_text": "AstraLocker ransomware shuts down and releases decryptors\r\nBy Sergiu Gatlan\r\nPublished: 2022-07-04 · Archived: 2026-04-05 23:08:45 UTC\r\nThe threat actor behind the lesser-known AstraLocker ransomware told BleepingComputer they're shutting down the\r\noperation and plan to switch to cryptojacking.\r\nThe ransomware's developer submitted a ZIP archive with AstraLocker decryptors to the VirusTotal malware analysis\r\nplatform.\r\nBleepingComputer downloaded the archive and confirmed that the decryptors are legitimate and working after testing one of\r\nthem against files encrypted in a recent AstroLocker campaign.\r\nhttps://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile we only tested one decryptor that successfully decrypted files locked in one campaign, other decryptors in the archive\r\nare likely designed to decrypt files encrypted in previous campaigns.\r\nAstraLocker decryptors (BleepingComputer)\r\n\"It was fun, and fun things always end sometime. I'm closing the operation, decryptors are in zip files, clean. I will come\r\nback,\" AstraLocker's developer said. \"I'm done with ransomware for now. I'm going in cryptojaking lol.\"\r\nWhile the developer did not reveal the reason behind the AstraLocker shutdown, it’s likely due to the sudden publicity\r\nbrought by recent reports that would land the operation in law enforcement’s crosshairs.\r\nAstraLocker decryption demo (BleepingComputer)\r\nA universal decryptor for AstraLocker ransomware is currently in the works, to be released in the future by Emsisoft, a\r\nsoftware company known for helping ransomware victims with data decryption.\r\nWhile it doesn't happen as often as we'd like, other ransomware groups have released decryption keys and decryptors to\r\nBleepingComputer and security researchers as a gesture of goodwill when shutting down or releasing new versions.\r\nThe list of decryption tools released in the past includes Avaddon, Ragnarok, SynAck, TeslaCrypt, Crysis, AES-NI, Shade,\r\nFilesLocker, Ziggy, and FonixLocker.\r\nAstraLocker ransomware background\r\nhttps://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/\r\nPage 3 of 5\n\nAs threat intelligence firm ReversingLabs recently revealed, AstraLocker used a somewhat unorthodox method of\r\nencrypting its victims' devices compared to other ransomware strains.\r\nInstead of first compromising the device (either by hacking it or buying access from other threat actors), AstraLocker's\r\noperator would directly deploy the payloads from email attachments using malicious Microsoft Word documents.\r\nThe lures used in AstroLocker attacks are documents hiding an OLE object with the ransomware payload that will get\r\ndeployed after the target clicks Run in the warning dialog displayed when opening the document.\r\nAstraLocker ransom note (ReversingLabs)\r\nBefore encrypting files on the now-compromised device, the ransomware will check if it's running in a virtual machine, kill\r\nprocesses and stop backup and AV services that would hinder the encryption process.\r\nBased on ReversingLabs' analysis, AstraLocker is based on the leaked Babuk Locker (Babyk) ransomware source code, a\r\nbuggy but still dangerous strain that exited the space in September 2021.\r\nAdditionally, one of the Monero wallet addresses in AstraLocker's ransom note was also linked to the operators of Chaos\r\nransomware. \r\nhttps://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/\r\nhttps://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/astralocker-ransomware-shuts-down-and-releases-decryptors/"
	],
	"report_names": [
		"astralocker-ransomware-shuts-down-and-releases-decryptors"
	],
	"threat_actors": [],
	"ts_created_at": 1775434505,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/305cb47a7f964b795ec247bf3c3fcc5a6ed5b35e.pdf",
		"text": "https://archive.orkl.eu/305cb47a7f964b795ec247bf3c3fcc5a6ed5b35e.txt",
		"img": "https://archive.orkl.eu/305cb47a7f964b795ec247bf3c3fcc5a6ed5b35e.jpg"
	}
}