Azov Wiper Attempts to Frame Cybersecurity Experts
Security experts have discovered a new wiper called Azov Ransomware, which is actively spreading through pirated software, keygens, and adware bundles. This malware attempts to frame well-known cybersecurity researchers by claiming they created it and are behind the attacks. The malware appears to be named after the “Azov” regiment, which is banned in Russia and designated as a terrorist organization.
The emergence of Azov Ransomware was reported by Lawrence Abrams, founder of Bleeping Computer and a cybersecurity researcher. In the ransom note (RESTORE_FILES.txt), the attackers claim that the malware was created by a cybersecurity expert known as Hasherazade. To recover their files, victims are told to contact other well-known specialists via Twitter: Lawrence Abrams, Bleeping Computer, Hasherazade, MalwareHunterTeam, Michael Gillespie, or Vitali Kremez.
In their message, the attackers also state that Azov was created as a protest against the annexation of Crimea by Russia and because Western countries are not providing enough support to Ukraine in light of the Russian special military operation. Bleeping Computer is aware of at least one Ukrainian organization that has been attacked by this malware.
Unfortunately, the ransom note does not provide any real way to contact the ransomware operators. Abrams concludes that, due to the lack of a way to contact the attackers to pay a ransom, this malware should be considered a deliberately destructive wiper rather than typical ransomware.
As victims have started reaching out to Bleeping Computer for help with file recovery, Abrams emphasizes that, for now, neither he nor other experts know of any way to restore the data, and they are unable to assist.
How Azov Ransomware Spreads
According to reports, Azov began spreading online about two weeks ago, and it appears that the first infections were delivered via the SmokeLoader botnet, with hackers simply paying the botnet operators to distribute the wiper.
SmokeLoader is a botnet that other cybercriminals can rent or buy “installs” from to spread their own malware on infected devices. SmokeLoader is typically distributed through websites offering fake cracks, keygens, mods, or game cheats.
Bleeping Computer notes that in recent weeks, SmokeLoader has been spreading Azov Ransomware alongside other malware, including RedLine Stealer and the STOP ransomware. There have even been cases of double encryption, where files are first encrypted by Azov and then by STOP, since SmokeLoader delivered both to victims’ systems at the same time.
Technical Details of the Attack
Once inside a system, the ransomware is placed in the Windows temporary folder (%Temp%) as a random file and executed. Upon launch, the wiper copies the file C:\Windows\System32\msiexec.exe to C:\ProgramData\rdpclient.exe and modifies it to also contain Azov Ransomware. The malware can also be configured to run at every Windows startup by making changes to the registry.
The wiper then scans all drives and encrypts every file except those with the extensions .ini, .dll, and .exe. Encrypted files are given the .azov extension, and every folder will contain a RESTORE_FILES.txt file with the hackers’ message.
Previous Attempts to Frame Security Experts
This is far from the first time attackers have tried to cause problems for cybersecurity experts by attributing malware authorship or cyberattacks to them. For example, in 2016, the operators of the Apocalypse ransomware renamed their malware to Fabiansomware “in honor” of researcher Fabian Wosar, who was interfering with their activities. In another case, in 2020, the creators of the MBRLocker ransomware used the name of cybersecurity expert Vitali Kremez in their ransom notes.