The hacker group of the AstraLocker 2.0 ransomware is satisfied with little, or 50 dollars, which, spread through email and Word, takes user data hostage, masking them in an unavoidable way.
One of the most widespread categories of malware is that of ransomware, viruses that encrypt other people’s data and ask for a ransom to “free them”: the new AstraLocker 2.0 belongs to this type of digital security threat, recently reported as being in action against computers Windows.
According to the security company ReversingLabs, the AstraLocker 2.0 virus, derived from Babuk spread last September, is spreading in these hours through the circulation of spam emails that have a Word document as an attachment, inside which the virus is hidden. above. Compared to most malware, which only kick in after several other operations, AstraLocker 2.0 wastes no time doing damage.
After the user has double-clicked to open the attached document, he will find an OLE object in its entirety: this is the way, rather than a common macro to be deactivated, chosen by the hacker to start the download of the malicious payload. If the user also clicks on this object, represented in the Word file by an icon, a security warning will appear, according to which the publisher of the “WordDocumentDOC.exe” file cannot be verified, with an attached question to the user. whether he is convinced to proceed.
At that point, in the event that you proceed with the umpteenth click with extreme imprudence, the AstraLocker 2.0 malware will start its routines. First, the virus will make sure that it is not running in a test environment or in a “sandbox” bubble: once confirmed that it is running on a real machine, it will proceed to delete shadow copies to avoid data recovery, it will empty the recycle bin, will disable the antivirus and any programs that may be an obstacle to encryption.
Once these steps have been completed, AstraLocker 2.0 will send the user data to the remote server of the attacker, and will proceed to encrypt the user data in loco, marking them, depending on the version, with the extensions “AstraLocker” or “.Astra”: l The last step of the hackers will be to show the ransom request page, equal to 50 dollars, to be paid in Bitcoin or Monero, as a necessary step to be able to request, at the secure address [email protected], after providing the ID of the transaction occurred, the file decryption program.