A version of AstraLocker, AstraLocker 2.0 ransomware, has just been released. This updated version is what some threat analysts call a rapid attack, or smash-and-grab style of ransomware. The AstraLocker 2.0 developers use Microsoft Word attachments in emails to distribute their malicious payload using VBA macros. The user needs to click on the attachment and then click on an icon in the document for the OLE object in the payload to be activated. Double-clicking the icon causes a security warning to appear, and the user is then asked to run a file, WordDocumentDOC.exe.
The payload that is delivered directly via the email attachment is different, in that it cuts out traditional threat actor processes that are designed to evade detection by modern email security scanning tools and other triggers that alert the security operation center. Hence, AstraLocker 2.0 just wants to make a hard and immediate hit on anything they can immediately access, versus the studied and patient methodologies used by most ransomware attackers.
AstraLocker 2.0 attempts to disable anti-malware protections and EDR software. It will also kill any other processes running that can impact the successful encryption of data. Like all modern ransomware attacks, AstraLocker 2.0 deletes shadow copies and thereby jeopardizes your ability to recover.
To avoid becoming hostage to AstraLocker or other types of ransomware and malware, it is crucial to maintain recent offline backups of your most important files and data. Adopt a ‘defense-in-depth’ approach where you use layers of defense with several mitigations at each layer; this means you will have more opportunities to detect malware, and then stop it before it causes detrimental harm to your business.
If you want to learn more about how to best prepare and protect your business from ransomware and other threats, check out our blog, Reduce the Risk of Ransomware & Other Cyber Attacks.