MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 258: UNDERSTANDING THE RISK OF ASTRO LOCKER RANSOMWARE

Reference Number ACG-CSB 071522258

         The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

   Most ransomware operations aim to encrypt as many devices as possible. Usually, they aim to gain access to Domain Controllers and then deploy a group policy object to allow file encryption on all hosts on that domain. This approach is more of a smash-and-grab affair that aims to deploy the ransomware as quickly as possible to get a fast payout.

   The Astro Locker ransomware script has been updated. Now, after the break-in, it focuses on disabling any program that could cripple the encryption or detect the break-in. Not only has it been programmed to fetch the backed-up files, neutralizing them completely, making it virtually impossible for the company to recover the files itself, it is worth noting that we specialize in recovering data encrypted by ransomware.

   There are reports that after the invasion, the ransomware was hidden for several weeks modifying the company’s backup routines, and after completely weakening the backups, the files were encrypted. Think how disastrous that situation can be for a company. Ransomware groups have updated to do just that, undermine all chances of recovering the data without paying the ransom.

   Astro Locker ransomware after breaking into a company’s system does not start the encryption right away, instead it hides and starts moving laterally inside the system looking for sensitive files for companies, after locating them, they are copied and extracted to be used as blackmail in the future, this tactic is called double extortion.

   The Astro Locker has focused its attacks mainly on biotechnology companies, these companies are extremely valuable to cybercriminals, because they possess valuable intellectual property that can in no way be leaked and can be accessed by their competitors. This is a determining factor for the quick payment of the ransom.

 

As is common with ransomware, volume shadow copies are deleted to prevent file recovery without paying the ransom, backup and antivirus services are stopped, the Recycle Bin is emptied rather than encrypted, and other processes are stopped that have the potential to interfere with the encryption process. It is unclear if after making payment, further demands will be issued.

 

RECOMMENDATION

            All PNP personnel as well as the public are advised to follow these tips to avoid being a victim of Astro Locker Ransomware:

  • Never click on unsafe links: Avoid clicking on links in spam messages or on unknown websites. If you click on malicious links, an automatic download could be started, which could lead to your computer being infected.
  • Avoid disclosing personal information: If you receive a call, text message, or email from an untrusted source requesting personal information, do not reply. Cybercriminals who are planning a ransomware attack might try to collect personal information in advance, which is then used to tailor phishing messages specifically to you. If in any doubt as to whether the message is legitimate, contact the sender directly.
  • Do not open suspicious email attachments: Ransomware can also find its way to your device through email attachments. Avoid opening any dubious-looking attachments. To make sure the email is trustworthy, pay close attention to the sender and check that the address is correct. Never open attachments that prompt you to run macros to view them. If the attachment is infected, opening it will run a malicious macro that gives malware control of your computer.
  • Never use unknown USB sticks: Never connect USB sticks or other storage media to your computer if you do not know where they came from. Cybercriminals may have infected the storage medium and placed it in a public place to entice somebody into using it.
  • Keep your programs and operating system up to date: Regularly updating programs and operating systems helps to protect you from malware. When performing updates, make sure you benefit from the latest security patches. This makes it harder for cybercriminals to exploit vulnerabilities in your programs.
  • Use only known download sources: To minimize the risk of downloading ransomware, never download software or media files from unknown sites. Rely on verified and trustworthy sites for downloads. Websites of this kind can be recognized by the trust seals. Make sure that the browser address bar of the page you are visiting uses "https" instead of "http". A shield or lock symbol in the address bar can also indicate that the page is secure. Also exercise caution when downloading anything to your mobile device. You can trust the Google Play Store or the Apple App Store, depending on your device.
  • Use VPN services on public Wi-Fi networks: Conscientious use of public Wi-Fi networks is a sensible protective measure against ransomware. When using a public Wi-Fi network, your computer is more vulnerable to attacks. To stay protected, avoid using public Wi-Fi for sensitive transactions or use a secure VPN service.

For additional information, please refer to the following websites:

  • https://digitalrecovery.com/en/recover-data-ransomware-astro-locker/
  • https://www.netsec.news/new-astrolocker-ransomware-variant-detected-being-distributed-directly-through-email-attachments/#:~:text=A%20new%20version%20of%20AstroLocker,leaked%20in%20September%20last%20year.
  • https://www.kaspersky.com/resource-center/threats/how-to-prevent-ransomware

POINT OF CONTACT

Please contact PMAJ JUN-JUN S DAGURO, Police Community Relations Officer thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 8723-0401 local 7483 for any inquiries related to this CYBER SECURITY BULLETIN.