Heimdal
article featured image

Contents:

Researchers established that Azov Ransomware, although pretends to encrypt data, is a data wiper that destroys all the data from an infected device and corrupts other programs. The malware is distributed through the Smokeloader botnet found in cracks and pirated software.

Azov Ransomware is a new malware that first emerged last month and continues to spread heavily. The malware was accompanied by a note that told victims to contact security researchers and journalists with the intention to frame them as the creators of the malicious software.

How Does the Data Wiper Work?

Checkpoint security researcher Jiří Vinopal analyzed the malware for BleepingComputer and discovered that Azov Ransomware will remain latent on an infected device until October 27th, 2022, at 10:14:30 AM UTC, when a time trigger is set, and it will corrupt all the data.

Data will be destroyed in alternative cycles of 666 bytes, a number biblically associated with the Devil.

“This works in a loop, so wiped file structure would look like this: 666 bytes of garbage, 666 bytes original, 666bytes of garbage, 666 bytes original, etc…”, Jiří Vinopal told BleepingComputer.

To make matters even worse, the data wiper will infect, or ‘backdoor,’ other 64-bit executables on the Windows device whose file path does not contain the following strings: \Windows\ProgramData\\cache2\entries\Low\Content.IE5\\User Data\Default\Cache\Documents and Settings\All Users

Source

By backdooring any of these programs, Azov Ransomware will inject additional code that will launch the data wiper alongside an apparently benign executable. The backdooring process works in a polymorphic way, with the same shellcodes being encoded differently every time, making the malware harder to detect by the antivirus.

Context for Azov Ransomware

Once Azov Ransomware infects a device the victim will lose the wiped data forever and will be compelled to reinstall Windows as other executables are infected.

The malware may be accompanied also by other malicious software, such as password-stealing malware. Targets are advised to reset all the passwords to sensitive information like emails, banking accounts, and so on.

There are multiple theories about the motives of the threat actor behind the Azov Ransomware but is still unknown if this malware covers up other malicious moves or is simply created to irritate the cybersecurity community.

Even if the name of the malware points to the Ukrainian Azov military regiment, it does not seem linked with Ukraine and the name is used to create further confusion.

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE