Description
RaaS first seen in 2021 initially called Vasa Locker.
General
Target
Size
Sample
2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce
189KB
210917-q3t36afgd7
Score
10/10
MD5
SHA1
SHA256
SHA512
3abc424623ccc9beb2521af2cf398bcc
8411b13100ce1128a0d7672d18b7eb4f605ed20f
2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce
273c21f0ef47228ac0db7fc317a5b6916627461c29d503d68d28670d86a5fda6a39f55124218380a60002da520bf7ad1c4cd9f63dd1e74e628459184f45ce33a
Malware Config
Extracted
| Path | C:\How To Restore Your Files.txt |
| Ransom Note |
***************************
* AstraLocker *
***************************
What happend?
----------------------------------------------
All Your files has been succesfully encrypted by AstraRansomware.
What is AstraLocker?
----------------------------------------------
AstraLocker is a modifiend version of a BabukLocker
More about BabukLocker: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/
Can I get My files back?
----------------------------------------------
Sure! But You dont have much time for this.
Your computer is infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without my help.
What can I do to get my files back?
----------------------------------------------
You can buy my decryption software, this software will allow you to recover all of your data and remove the Ransomware from your computer.
The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only.
What guarantees?
----------------------------------------------
I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests.
All my decryption software is perfectly tested and will decrypt your data.
How do I pay, where do I get Monero or Bitcoin?
----------------------------------------------
Purchasing Monero or Bitcoin varies from country to country, you are best advised to do a quick Google search
yourself to find out how to buy Monero or Bitcoin.
Amount of Bitcoin to pay: 0,00111 BTC (Bitcoin)
or
Amount of Monero to pay: 0.20 XMR (Monero)
Where i can pay?
----------------------------------------------
Monero Address:
47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS
Bitcoin Addres:
bc1qel4nlvycjftvvnw32e05mhhxfzy7hjqkjh82ez
Contact
----------------------------------------------
After payment contact: AstraRansomware@protonmail.com to get the decryptor
!!! DANGER !!!
DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.
!!! DANGER !!
***************************
* AstraLocker *
***************************
|
| Emails |
AstraRansomware@protonmail.com |
| Wallets |
bc1qel4nlvycjftvvnw32e05mhhxfzy7hjqkjh82ez |
| URLs |
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/ |
Targets
Target
MD5
Filesize
2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce
3abc424623ccc9beb2521af2cf398bcc
189KB
Score
10/10
SHA1
SHA256
SHA512
8411b13100ce1128a0d7672d18b7eb4f605ed20f
2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce
273c21f0ef47228ac0db7fc317a5b6916627461c29d503d68d28670d86a5fda6a39f55124218380a60002da520bf7ad1c4cd9f63dd1e74e628459184f45ce33a
Tags
Signatures
-
Babuk Locker
-
Deletes shadow copies
Description
Ransomware often targets backup files to inhibit system recovery.
Tags
TTPs
-
Executes dropped EXE
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
Loads dropped DLL
-
Enumerates connected drives
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks
static1
Score
N/A
behavioral1
Score
10/10
behavioral2
Score
10/10