Free decryptor released for AstraLocker, Yashma ransomware victims

New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom.

The free tool is available for download from Emsisoft's servers, and it allows you to recover encrypted files using easy-to-follow instructions available in this usage guide [PDF].

"Be sure to quarantine the malware from your system first, or it may repeatedly lock your system or encrypt files," Emsisoft warned.

"By default, the decryptor will pre-populate the locations to decrypt with the currently connected drives and network drives. Additional locations can be added using the 'Add' button."

The ransomware decryptor will allow you to keep the files encrypted in the attack as a failsafe if the decrypted files are not identical to the original documents.

"The AstraLocker decryptor is for the Babuk-based one using .Astra or .babyk extension, and they released a total of 8 keys," Emsisoft added.

"The Yashma decryptor is for the Chaos-based one using .AstraLocker or a random .[a-z0-9]{4} extension, and they released a total of 3 keys."

Emsisoft also advised AstraLocker and Yashma victims whose systems were compromised via Windows Remote Desktop to change the passwords for all user accounts that have permissions to log in remotely and to look for other local accounts the ransomware operators might have added.

The decryptor was released after the threat actor behind AstraLocker ransomware told BleepingComputer this week that they're shutting down the operation with a plan to switch to cryptomining.

"It was fun, and fun things always end sometime. I'm closing the operation, decryptors are in zip files, clean. I will come back," AstraLocker's developer told us. "I'm done with ransomware for now. I'm going in cryptojaking lol."

The ransomware developer shared a ZIP archive with AstraLocker and Yashma decryptors they submitted to the VirusTotal malware analysis platform.

Even though they did not reveal the reason behind the AstraLocker shutdown, the most likely cause is the sudden publicity brought by recent reports that would have landed the operation in law enforcement crosshairs.

AstraLocker is based on Babuk Locker (Babyk) ransomware, a buggy yet still dangerous strain that had its source code leaked in September on a hacker forum.

While it doesn't happen very often, other ransomware groups had also released decryption keys and decryptors to BleepingComputer and security researchers in the past, either as a gesture of goodwill when shutting down or when they released new versions.

The list of previously released decryption tools includes Ragnarok, Avaddon, SynAck, AES-NI, Shade, FilesLocker, TeslaCrypt, Crysis, Ziggy, and FonixLocker.