Privacy Ninja

Free Decryptor Released for AstraLocker, Yashma Ransomware Victims

Free Decryptor Released for AstraLocker, Yashma Ransomware Victims

New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom.

The free tool is available for download from Emsisoft’s servers, and it allows you to recover encrypted files using easy-to-follow instructions available in this usage guide [PDF].

“Be sure to quarantine the malware from your system first, or it may repeatedly lock your system or encrypt files,” Emsisoft warned.

“By default, the decryptor will pre-populate the locations to decrypt with the currently connected drives and network drives. Additional locations can be added using the ‘Add’ button.”

The ransomware decryptor will allow you to keep the files encrypted in the attack as a failsafe if the decrypted files are not identical to the original documents.

“The AstraLocker decryptor is for the Babuk-based one using .Astra or .babyk extension, and they released a total of 8 keys,” Emsisoft added.

Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

“The Yashma decryptor is for the Chaos-based one using .AstraLocker or a random .[a-z0-9]{4} extension, and they released a total of 3 keys.”

Emsisoft also advised AstraLocker and Yashma victims whose systems were compromised via Windows Remote Desktop to change the passwords for all user accounts that have permissions to log in remotely and to look for other local accounts the ransomware operators might have added.

AstraLocker decryptor
AstraLocker decryptor (Emsisoft)

The decryptor was released after the threat actor behind AstraLocker ransomware told BleepingComputer this week that they’re shutting down the operation with a plan to switch to cryptomining.

“It was fun, and fun things always end sometime. I’m closing the operation, decryptors are in zip files, clean. I will come back,” AstraLocker’s developer told us. “I’m done with ransomware for now. I’m going in cryptojaking lol.”

Also Read: How a Smart Contract Audit Works and Why it is Important

The ransomware developer shared a ZIP archive with AstraLocker and Yashma decryptors they submitted to the VirusTotal malware analysis platform.

Even though they did not reveal the reason behind the AstraLocker shutdown, the most likely cause is the sudden publicity brought by recent reports that would have landed the operation in law enforcement crosshairs.

AstraLocker is based on Babuk Locker (Babyk) ransomware, a buggy yet still dangerous strain that had its source code leaked in September on a hacker forum.

While it doesn’t happen very often, other ransomware groups had also released decryption keys and decryptors to BleepingComputer and security researchers in the past, either as a gesture of goodwill when shutting down or when they released new versions.

The list of previously released decryption tools includes RagnarokAvaddonSynAckAES-NIShadeFilesLockerTeslaCryptCrysisZiggy, and FonixLocker.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us