New AstroLocker Ransomware Variant Detected Being Distributed Directly Through Email Attachments

A new version of AstroLocker ransomware has been detected which is being delivered directly via email attachments. Astrolocker is a relatively new ransomware threat that is based on Babuk ransomware, the source code for which was leaked in September last year. In contrast to most malspam campaigns, which use VBA macros for downloading the first-stage payload, this campaign uses a Word Document attachment with an embedded OLE object – WordDocumentDOC.exe – which has the Microsoft Word logo and the text ‘Please Click Here’.

Most ransomware operations aim to encrypt as many devices as possible. Usually, they aim to gain access to Domain Controllers and then deploy a group policy object to allow file encryption on all hosts on that domain. This approach is more of a smash-and-grab affair that aims to deploy the ransomware as quickly as possible to get a fast payout.

If the recipient takes the bait and opens the attached Word file, and then clicks the OLE object, they will be presented with a security warning popup that states that the publisher could not be verified and is unknown, and they have the option of running the file or canceling. This is why the use of OLE objects for malware delivery is not popular and VBA macros are now preferred – There is less opportunity for the attempt at malware delivery to fail.

If allowed to run, a check is performed to determine if it is running in a virtual machine. If a virtual machine is detected, a warning window will be displayed that claims it is from Microsoft, advising the user “please do not run this application under a virtual machine.” Checks are also performed to determine if debuggers have been loaded into other active processes. If these checks are passed, AstroLocker 2.0 will prepare the system for encryption using the Curve25519 algorithm.

As is common with ransomware, volume shadow copies are deleted to prevent file recovery without paying the ransom, backup and antivirus services are stopped, the Recycle Bin is emptied rather than encrypted, and other processes are stopped that have the potential to interfere with the encryption process. The ransom note used closely resembles the one used by Babuk ransomware and asks for payment in new Monero or Bitcoin, but no email address is provided to make contact. The ransom demand is only $50. It is unclear if after making payment, further demands will be issued.

ReversingLabs, which discovered AstroLocker 2.0, has not attributed the campaign to any specific threat actor but discovered a Monero wallet address that has previously been used by the group behind Chaos ransomware, but that could just mean that the affiliate that is conducting this campaign is also an affiliate for Chaos ransomware. Further information on the campaign and the IoCs are available here.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of