New AstraLocker Version Phishing Campaign

A low sophistication phishing campaign is deploying the AstraLocker 2.0 ransomware via malicious Microsoft Word documents.
New AstraLocker Version Phishing Campaign


On June 28, 2022, ReversingLABS researchers reported a phishing campaign using malicious Microsoft Office files to distribute the new 2.0 version of the AstraLocker ransomware. Researchers assess that the threat actors behind the campaign likely obtained the AstraLocker 2.0 code from the Babuk leak in September of 2021, based on shared code and campaign markers. The cryptocurrency wallet addresses used in the campaign are associated with the Chaos ransomware gang.

Technical Details

AstraLocker is a fork of the Babuk ransomware and first appeared in 2021. Version 2.0 first appeared in March of 2022. The ransomware is delivered in phishing emails via malicious Microsoft Word documents. The payload is stored in an object linking and embedding (.OLE) object that is only activated when the victim double-clicks on the executable icon inside the malicious documents.

The new version of AstraLocker uses the outdated SafeEngine Shielden v2.4.0.0 protector, which complicates reverse engineering efforts. The new version also uses sophisticated tactics such as:

  • Checking if the host is a virtual machine (VM)
  • Checking running processes to determine if the environment is an analysis sandbox
  • Checking names of open windows to determine if malware analysis tools are running
  • Hiding threads from debugging tools by using the argument HideFromDebugger
  • Stopping multiple backup and anti-malware services
  • Killing multiple processes that could interfere with encryption
  • Deleting volume shadow copies
  • Emptying the recycle bin
  • Enumerating and mounting all drives and network shares
  • Encrypting files using Curve25519, one of the fastest elliptic curve cryptography (ECC) curves

Impact Analysis

Researchers assessed that while the ransomware tool itself was relatively sophisticated, the campaign is not technically sophisticated. The campaign delivered the ransomware immediately whenever victims clicked the attachment. In most sophisticated ransomware campaigns, attackers wait until later in the compromise chain to deliver the payload to allow time for deeper penetration into networks and reconnaissance into targeted networks. Executing the ransomware payload also took multiple manual clicks by the victim. Requiring so much manual activity from the victim creates numerous opportunities for the infection process to be interrupted or second-guessed by victims.


ReversingLabs researchers provided the following indicators of compromise (IOCs) for the campaign:

Indicator Type Notes
[.]babyk File Extension AstraLocker 2.0 File Extension After Encryption


Cryptocurrency Wallet Address Chaos Ransomware Gang-Associated Monero Wallet
bc1qpjftnrmahzc8cjs23snk2rq0vt6l0ehu4gqxus. Cryptocurrency Wallet Address Chaos Ransomware Gang-Associated Bitcoin Wallet
cf3bdf0f8ea4c8ece5f5a76524ab4c81fea6c3a1715b5a86b3ad4d397fca76f3 SHA256 AstraLocker 2.0 Ransomware
b0a010e5a9b353a11fb664501de91fc47878d89bf97cb57bc03428c7a45981b9 SHA256 AstraLocker 2.0 Ransomware
17ea24ce8866da7ef4a842cba16961eafba89d526d3efe5d783bb7a30c5d1565 SHA256 AstraLocker 2.0 Ransomware
08565f345878369fdbbcf4a064d9f4762f4549f67d1e2aa3907a112a5e5322b6 SHA256 AstraLocker 2.0 Ransomware
5c061e188979d3b744a102d5d855e845a3b51453488530ea5dca6b098add2821 SHA256 AstraLocker 2.0 Ransomware
60167b6a14b7da2257cb6cbdc7f1ebcb4bdfa16c76cc9a7539c9b8d36478d127 SHA256 Malicious Word Document
71ba916a7f35fe661cb6affc183f1ce83ee068dbc9a123663f93acf7b5a4263e SHA256 Malicious Word Document

More Recent Blog Posts