AstraLocker 2.0 is a ransomware variant belonging to the Babuk family. It recently released its second major release, and according to threat analysts, its operators are involved in rapid attacks that drop its payload directly from email attachments.
Once unpacked, Astralocker 2.0 employs several tactics to avoid detection and hamper attempts to recover.
From document to encryption
The lure used by AstraLocker 2.0 operators is a Microsoft Word document that hides an OLE object with ransomware payload. The embedded executable file uses the file name “WordDocumentDOC.exe”.
To perform the payload, the user must click “Run” in the warning dialog box that appears when the document is opened, further reducing the chances of success for the threatening agents.
The AstraLocker 2.0 attack observed was unusual in several ways.
- The attackers opted to push ransomware to victims at the earliest stage of the attack.
- Once targets opened the malicious file attachment used as bait in the initial phishing attacks.