A relatively new threat actor named Azov ransomware is wiping victims’ systems and framing prominent security researchers as the culprits.
While all those researchers came up defending against it, they also warned that there’s no way a victim of Azov ransomware can get back his files. And it’s because the gang doesn’t share anyway to contact them and states no ransom demand.
Azov Ransomware-cum-Data Wiper
As we’ve seen in the past, a new ransomware group called Azov is now framing well-known security researchers and companies as culprits of its operations, triggering confusion in the community.
Quashing those claims, the framed researchers said the Azov ransomware spreads through SmokeLoader – a botnet that sells or rents access to its trojan-infected system for deploying other malware. Ransomware actors buy such access points and deploy their ransomware malware.
SmokeLoader, in return, hits victims through cracked software, game modifications, cheats, and key generators. Using this, Azov ransomware encrypts the target’s machine and leaves a ransom note named RESTORE_FILES.txt in all the folders encrypted.
While there’s no contact information in those ransom notes, the Azov gang mentions certain security researchers and firms (Hasherazade, BleepingComputer, MalwareHunterTeam, Michael Gillespie, and Vitali Kremez in this case) as culprits.
This thing started to spread about 2 weeks ago already.
One of the spreading methods (or the only one?) of this shit looks someone just bought installs in the malware distribution networks / botnets that are used to spread some stealers, the STOP/Djvu ransomware, etc.
(1/X) https://t.co/ndcDyoHDTv pic.twitter.com/3Y4vw1LlZq
— MalwareHunterTeam (@malwrhunterteam) October 30, 2022
Victims of this ransomware are asked to reach out to the above-framed researchers for decryption keys, which they deny having. While they’re analyzing the ransomware’s encrypting malware to find loopholes, you should know that Azov ransomware is also deploying a wiper malware alongside.
This would wipe out the entire files in the victim’s system for no reason! Also, victims should also realize that they may be double-infected with other malware, as SmokeLoader is deploying RedLine information-stealing malware and the STOP ransomware alongside Azov ransomware.
While bluffing about the culprits, Azov ransomware cites its operations are the result of the seizure of Crimea and because the Western countries are not doing enough to help Ukraine in their war against Russia.