The New Zealand cybersecurity company Emsisoft has released a free decryptor for AstraLocker and Yashma ransomware. Victims can access the tool via the servers of Emsisoft. A detailed procedure on how to use the tool was also provided.
“Be sure to quarantine the malware from your system first, or it may repeatedly lock your system or encrypt files. By default, the decryptor will pre-populate the locations to decrypt with the currently connected drives and network drives. Additional locations can be added using the ‘Add’ button,” warned Emsisoft.
The decryptor provided by Emsisoft allows users to keep files encrypted in the attack as failsafe if the decrypted files are not similar to the original documents.
Emsisoft advised victims whose systems were compromised via Windows Remote Desktop to change the passwords for all user accounts that have permissions to log in remotely. The security company also advised victims to log in remotely and look for other local accounts the ransomware operators might have added.
“The AstraLocker decryptor is for the Babuk-based one using .Astra or .babyk extension, and they released a total of 8 keys. The Yashma decryptor is for the Chaos-based one using . AstraLocker or a random. [a-z0-9] {4} extension, and they released a total of 3 keys,” Emsisoft added.
The sources for this piece include an article in BleepingComputer.