Hacking gang AstraLocker has publicly exited the ransomware business, stating that it will turn to cryptojacking instead. The move reflects a declining number of ransomware options on the market, and analysts say global law enforcement crackdowns on the hackers behind ransomware attacks could be causing criminals to look for lower-risk ways to make money.
AstraLocker, thought to be a subsidiary of larger ransomware group Babuk, marked its change of direction by posting a ZIP file with decryptors to all its malware on the VirusTotal malware analysis platform. Decryptors are used to reverse the encryption process.
The group favours the “smash and grab” attack methodology, according to research released by Reversing Labs. This means its malware is low-skill and looks to cause immediate disruption and secure a quick payment, compared with the more patient, methodical and measured approach used by more sophisticated ransomware outfits.
Writing on the VirusTotal platform, a poster claiming to be a member of the group said: “It was fun, and fun things always end sometime. I’m closing the operation, decryptors are in zip files, clean. I will come back. I’m done with ransomware for now. I’m going in cryptojacking.” Cryptojacking is the process of illicitly uploading cryptocurrency mining programmes onto victims’ computers and using that computer to run the notoriously resource-heavy software.
Is ransomware evolving into cryptojacking?
As ransomware groups have become more sophisticated and attacks more high profile, global law enforcement agencies are fighting back, working across borders to arrest criminals. Because of this, the gangs may be moving away from high-profile crimes and onto lower-risk activities like cryptojacking, says Jim Simpson, director of threat intelligence at Searchlight Security:
“Cryptojacking incentivises staying undetected on the victim’s machine for as long as possible, and so is by nature less conspicuous than ransomware campaigns, where the money-making model relies significantly on generating maximum publicity in order to shame victims into paying up.
“With the US government’s renewed focus on cracking down on ransomware-as-a-service (RaaS) schemes, it is unsurprising some financially motivated cybercriminals are opting for an activity that’s less likely to land them on the radar of federal law enforcement agencies.”
Indeed, 2021 saw a significant drop in the amount of new ransomware discovered by security researchers according to a report from WithSecure. It notes that “one possibility is consolidation around existing RaaS offerings, such as REvil. These services lower the bar for cybercriminals to conduct ransomware campaigns by eliminating the need to develop their own ransomware and other infrastructure.”
The toolkits from big RaaS gangs such as REvil are becoming much cheaper and easier to use, agrees Terry Greer-King, vice president for EMEA at SonicWall. “Only a few years ago, they needed to write their own malicious code. Now, anyone with bad intentions can buy a ransomware kit for as little as $50 on the dark web,” he says.
With potential customers looking elsewhere, smaller gangs like AstraLocker are moving onto cryptojacking. The number of cryptojacking attempts in 2021 rose to 91 million, an increase of 19% year-on-year.
Cryptojacking is an appealing alternative for criminal gangs, says Greer-King. "It has a lower potential of being detected by the victim; unsuspecting users across the world see their devices get unaccountably slower, but it’s hard to tie it to criminal activity, much less point to the source," he says.
Businesses becoming more secure against ransomware could also cause gangs to look elsewhere for income, says Simon Newman, CEO of the Cyber Resilience Centre for London. “As organisations continuously improve their security posture and develop a better awareness of how threat actors operate, it’s inevitable that some criminals will ‘change careers’ into other forms of cybercrime that they believe will either be more effective or lucrative,” Newman says.