Skip links

Azov Ransomware is a wiper, destroying data 666 bytes at a time



The Azov Ransomware continues to be heavily distributed worldwide, now proven to be a data wiper that intentionally destroys victims’ data and infects other programs.

Last month, a threat actor began distributing malware called ‘Azov Ransomware‘ through cracks and pirated software that pretended to encrypt victims’ files.

However, instead of providing contact info to negotiate a ransom, the ransom note told victims to contact security researchers and journalists to frame them as the developers of the ransomware.

‘Azov Ransomware’ data wiper note to victims
Source: BleepingComputer

As there was no contact info, and the listed contacts had no way of helping victims, we assumed that the malware was a data wiper.

A diabolical data wiper

Last week, Checkpoint security researcher Jiří Vinopal analyzed the Azov Ransomware and confirmed to BleepingComputer that the malware was specially crafted to corrupt data.

The malware included a trigger time that would cause it to sit dormant on the victim’s devices until October 27th, 2022, at 10:14:30 AM UTC, which would then trigger the corruption of all data on the device.

Vinopal says it would overwrite a file’s contents and corrupt data in alternating 666-byte chunks of garbage data. The number 666 is commonly associated with the biblical ‘Devil,’ clearly showing the malicious intent of the threat actor.

“Each cycle exactly 666 bytes are being overwritten with random (uninitialized data) and the next 666 bytes are left original,” Vinopal told BleepingComputer.

“This works in a loop, so wiped file structure would look like this: 666 bytes of garbage, 666 bytes original, 666bytes of garbage, 666 bytes original, etc…”

Corrupting data in alternating 666 bytes of data
Source: Jiří Vinopal

To make matters even worse, the data wiper will infect, or ‘backdoor,’ other 64-bit executables on the Windows device whose file path does not contain the following strings:

User DataDefaultCache
Documents and Settings
All Users

When backdooring an executable, the malware will inject code that will cause the data wiper to launch when a seemingly harmless executable is launched.

“Backdooring of the files works in a polymorphic way, which means the same shellcodes used to backdoor files are every time encoded differently,” explained Vinopal.

“(ex. if the same file A would be backdoored 2 times to file B1 and B2, B1 and B2 shellcode parts are different so B1 and B2 are also different on the disk) – this is used probably to avoid static AV detection.”

Infecting 64-bit files for persistence
Source: Jiří Vinopal

Today, the threat actor continues distributing the malware through the Smokeloader botnet, commonly found in fake pirated software and crack sites.

At the time of this writing, there are already pages of submissions of this malware to VirusTotal for today alone, showing how many victims have been affected by this malware over the past two weeks.

Azov submissions to VirusTotal
Source: BleepingComputer

It is unclear why the threat actor is spending money to distribute a data wiper. However, theories range from it being done to cover up other malicious behavior or simply to ‘troll’ the cybersecurity community.

Regardless of the reason, victims who are infected with Azov Ransomware will have no way of recovering their files, and as other executables are infected, they should reinstall Windows to be safe.

Furthermore, as Smokeloader is being used to distribute the Azov data wiper, it is likely also installed with other malware, such as password-stealing malware. Therefore, it is essential to reset any passwords to email accounts, financial services, or other sensitive information.

Finally, while the ransomware is named after the Ukrainian ‘Azov’ military regiment, this malware is likely not affiliated with the country and is just using the name as a false flag.

Adblock test (Why?)