The Azov ransomware that earlier framed security researchers in their operations have been detailed by a Checkpoint researcher on how it works.
He described how its data corruption works and several references attributed to its evilness. He, just like other researchers, has warned that there’s no remedy for anyone getting infected by Azov ransomware. Yet, suggested things that should be done to be safe.
Azov Ransomware Modus Operandi
As earlier reported, the authors of Azov ransomware are using SmokeLoader to distribute their malware – which comes in a number of forms like pirated software or games . When deployed, the ransomware malware will corrupt the system data and leave a ransom note – where it lists a bunch of security researchers as their gang.
Asking the concerned researchers to reach out for help – even though they’re not associated – the Azov gang asks for no ransom for decrypting their files. Instead, it had set a data wiper malware to erase all the infected stuff , says Jiří Vinopal , a researcher at Checkpoint Security.
He detailed how the ransomware works from its initial deployment through SmokeLoader, and a wiper set to trigger only on October 27th, 2022, at 10:14:30 AM UTC. Many victims have already listed this malware in VirusTotal by the time of writing this.
Vinopal said that Azov ransomware would overwrite a file’s contents and corrupt data in alternating 666-byte chunks of garbage data , thus making the whole file useless – even though half of the content is intact. The usage of the number 666 in its data corruption procedure is linked with the biblical ‘Devil,’ – showing the threat actor’s malicious intent.
We took a look at #Azov #Ransomware — a new destructive data wiper: – Manually crafted in Assembly using FASM – Multi-threaded intermittent overwriting (looping 666 bytes) of original data content – Effective, fast, and unfortunately unrecoverable data wiper pic.twitter.com/RGgscpSYXE — Check Point Research (@CPResearch) November 2, 2022
