Cyber Threat Actor: Astro Team
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
2 incidents |
|---|
Profile
Astro Team is a threat actor group that operates under the alias Astro Team and has been associated with Russian origins in open sources. The group first came to public attention through ransomware incidents that involved data theft and subsequent leaks when ransom demands were not met. Their activities have been documented in multiple cybersecurity reports and news articles detailing attacks on U.S.-based organizations.
The actors primarily target organizations in the healthcare and vision care sectors within the United States, as evidenced by the Eduro Healthcare incident in Utah and the Hoya Vision Care attack. Their strategic objective appears to be financial gain, achieved through ransomware encryption coupled with the threat of releasing exfiltrated sensitive data if payment is not forthcoming. This dual extortion model is explicitly referenced in the descriptions of both incidents where data was leaked after alleged ransom non‑payment.
In terms of tactics, Astro Team has been linked to the Mount Locker ransomware family, indicating the use of this malware for encryption operations. They employ data exfiltration prior to encryption, storing stolen files on leak sites to pressure victims. The group’s tooling includes the creation of dedicated leak pages where they publish stolen information, as seen with the Eduro Healthcare data dump. No specific initial access vectors are detailed in the available sources, so only the observed ransomware deployment and leak site usage are noted.
Notable publicly reported operations include the March 2021 breach of Eduro Healthcare, where approximately forty gigabytes of protected health information and financial records were exfiltrated and later released after the organization reportedly failed to satisfy ransom demands. Another significant campaign occurred in April 2021 against Hoya Vision Care US, resulting in the theft of around three hundred gigabytes of confidential corporate data during a ransomware attack. These cases illustrate the group’s pattern of targeting U.S. healthcare‑related entities, stealing large volumes of data, and leveraging leak sites to enforce extortion.
