MTR in Realtime: What is Astro Locker Team Ransomware

109

Sophos has published an MTR in Real Time alert on Sophos News about “Astro Locker Team” ransomware and its connections to “Mount Locker ransomware.”

The story in a nutshell: The Sophos Managed Threat Response team recently detected ransomware targeting an organization’s unprotected machines and the team quickly took charge to neutralize and investigate. The attack had all the hallmarks of Mount Locker ransomware in terms of tools, techniques and procedures (TTPs), the language and format of the ransom note, and more. However, when they followed the link in the ransom note to the attackers’ chat/support site, Sophos incident responders found themselves faced with a near-unknown group calling itself “AstroLocker Team” or “Astro Locker Team.”

Astro Locker appears to be a new ransomware family – but appearances can be deceptive. Astro Locker’s use of near-identical TTPs to Mount Locker ransomware and even an identical leak site, with the same list of victims, suggests the two may be closely linked, although exactly how is open to speculation. 

Why this matters: Understanding the possible origins and relationships of a ‘new’ ransomware groups matters to defenders because it enables them to extend the range of TTPs to look out for. In this case, anyone hit by Astro Locker Team ransomware should check their network and devices for standard Mount Locker TTPs.

In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’ Rapid Response team. “It is possible that the Mount Locker group wants to rebrand itself to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program with Astro Locker as a significant branded affiliate. It could even be that the Mount Locker group is using the Astro Locker name to pretend they have such an affiliate. Regardless, if any organization becomes a victim of ‘Astro Locker’ in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.”