The Azov ransomware that earlier framed security researchers in their operations have been detailed by a Checkpoint researcher on how it works.
He described how its data corruption works and several references attributed to its evilness. He, just like other researchers, has warned that there’s no remedy for anyone getting infected by Azov ransomware. Yet, suggested things that should be done to be safe.
Azov Ransomware Modus Operandi
As earlier reported, the authors of Azov ransomware are using SmokeLoader to distribute their malware – which comes in a number of forms like pirated software or games. When deployed, the ransomware malware will corrupt the system data and leave a ransom note – where it lists a bunch of security researchers as their gang.
Asking the concerned researchers to reach out for help – even though they’re not associated – the Azov gang asks for no ransom for decrypting their files. Instead, it had set a data wiper malware to erase all the infected stuff, says Jiří Vinopal, a researcher at Checkpoint Security.
He detailed how the ransomware works from its initial deployment through SmokeLoader, and a wiper set to trigger only on October 27th, 2022, at 10:14:30 AM UTC. Many victims have already listed this malware in VirusTotal by the time of writing this.
Vinopal said that Azov ransomware would overwrite a file’s contents and corrupt data in alternating 666-byte chunks of garbage data, thus making the whole file useless – even though half of the content is intact. The usage of the number 666 in its data corruption procedure is linked with the biblical ‘Devil,’ – showing the threat actor’s malicious intent.
We took a look at #Azov #Ransomware — a new destructive data wiper:
– Manually crafted in Assembly using FASM
– Multi-threaded intermittent overwriting (looping 666 bytes) of original data content
– Effective, fast, and unfortunately unrecoverable data wiper pic.twitter.com/RGgscpSYXE
— Check Point Research (@_CPResearch_) November 2, 2022
Aside from this, the malware is also said to be setting a ‘backdoor’ to let other 64-bit executables on the compromised Windows device. This path can be used to destroy the system further, as desired.
Researchers have earlier quashed links of this ransomware group to that of the Ukrainian military (since Azov is the name of a Ukrainian ‘Azov’ military regiment), even though it is using its name. It’s common that some threat actors use others named to confuse the researchers or make a false impact.
While it’s unclear why the threat actor is spending money to distribute a data wiper, researchers warned that the wiper has no remedy yet. So users should be vigilant about using cracked software and pirated versions of anything from the web and avoid the risk of getting infected.