January 30, 2023
Azov Ransomware is a wiper, destroying information 666 bytes at a time

Azov Ransomware is a wiper, destroying information 666 bytes at a time

The Azov Ransomware continues to be closely distributed worldwide, now confirmed to be an information wiper that deliberately destroys victims’ information and infects different applications.

Final month, a risk actor started distributing malware known as ‘Azov Ransomware’ by way of cracks and pirated software program that pretended to encrypt victims’ information.

Nevertheless, as an alternative of offering contact information to barter a ransom, the ransom notice instructed victims to contact safety researchers and journalists to border them because the builders of the ransomware.

'Azov Ransomware' data wiper note to victims
‘Azov Ransomware’ information wiper notice to victims
Supply: BleepingComputer

As there was no contact information, and the listed contacts had no method of serving to victims, we assumed that the malware was an information wiper.

A diabolical information wiper

Final week, Checkpoint safety researcher Jiří Vinopal analyzed the Azov Ransomware and confirmed to BleepingComputer that the malware was specifically crafted to deprave information.

Checkpoint tweet

The malware included a set off time that might trigger it to take a seat dormant on the sufferer’s units till October twenty seventh, 2022, at 10:14:30 AM UTC, which might then set off the corruption of all information on the gadget.

Vinopal says it could overwrite a file’s contents and corrupt information in alternating 666-byte chunks of rubbish information. The quantity 666 is often related to the biblical ‘Satan,’ clearly exhibiting the malicious intent of the risk actor.

“Every cycle precisely 666 bytes are being overwritten with random (uninitialized information) and the subsequent 666 bytes are left unique,” Vinopal instructed BleepingComputer.

“This works in a loop, so wiped file construction would seem like this: 666 bytes of rubbish, 666 bytes unique, 666bytes of rubbish, 666 bytes unique, and many others…”

Corrupting data in alternating 666 bytes of data
Corrupting information in alternating 666 bytes of knowledge
Supply: Jiří Vinopal

To make issues even worse, the information wiper will infect, or ‘backdoor,’ different 64-bit executables on the Home windows gadget whose file path doesn’t include the next strings:

:Home windows
ProgramData
cache2entries
LowContent.IE5
Person DataDefaultCache
Paperwork and Settings
All Customers

When backdooring an executable, the malware will inject code that can trigger the information wiper to launch when a seemingly innocent executable is launched.

“Backdooring of the information works in a polymorphic method, which implies the identical shellcodes used to backdoor information are each time encoded in another way,” defined Vinopal.

“(ex. if the identical file A could be backdoored 2 occasions to file B1 and B2, B1 and B2 shellcode elements are completely different so B1 and B2 are additionally completely different on the disk) – that is used most likely to keep away from static AV detection.”

Infecting 64-bit files for persistence
Infecting 64-bit information for persistence
Supply: Jiří Vinopal

As we speak, the risk actor continues distributing the malware by way of the Smokeloader botnet, generally present in pretend pirated software program and crack websites.

On the time of this writing, there are already pages of submissions of this malware to VirusTotal for right this moment alone, exhibiting what number of victims have been affected by this malware over the previous two weeks.

Azov submission to VirusTotal
Azov submissions to VirusTotal
Supply: BleepingComputer

It’s unclear why the risk actor is spending cash to distribute an information wiper. Nevertheless, theories vary from it being achieved to cowl up different malicious conduct or just to ‘troll’ the cybersecurity neighborhood.

Whatever the motive, victims who’re contaminated with Azov Ransomware can have no method of recovering their information, and as different executables are contaminated, they need to reinstall Home windows to be secure.

Moreover, as Smokeloader is getting used to distribute the Azov information wiper, it’s doubtless additionally put in with different malware, resembling password-stealing malware. Subsequently, it’s important to reset any passwords to e-mail accounts, monetary companies, or different delicate data.

Lastly, whereas the ransomware is known as after the Ukrainian ‘Azov’ army regiment, this malware is probably going not affiliated with the nation and is simply utilizing the title as a false flag.

Leave a Reply