[Virus/malware activity reported: AstraLocker ransomware]

As a security breach believed to be in the form of AstraLocker ransomware has occurred,
we would like to confirm the situation and provide a warning as follows.

AstraLocker ransomware

The ransomware in question is called AstraLocker and has an existing name and an existing extension. It appears that all files are being changed with the extension babyk.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• .NET 3.5 pre-work

  After creating “%SystemDrive%NET35WX5” and encrypting it, create the necessary ransom note and check the path.

  
  [Figure 3 Startup program registration]

• Deleting shadow copies

  After encryption, shadow copies are deleted to make recovery difficult.

  
  [Figure 4 Deleting shadow copies]

Infection results

A guide file is created in each folder under the name How To Restore Your Files.txt, and when encryption is performed, the files are changed to <existing name.existing extension.babyk>.

[Figure 5 Infection result 1]

[Figure 6 Infection result 2]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 7 Block message]

[Figure 8 Block message]

[Figure 9 Block message]

Watch AstraLocker blocking video