Executive Summary
Azov ransomware is a recently discovered malware family being distributed through pirated software, keygens, and adware bundles. It acts as a wiper and is capable of backdooring 64-bit executables. It also uses a unique pattern for overwriting files.
Key Takeaways
- Azov ransomware is distributed via SmokeLoader and is found in pirated software, keygens, and adware bundles.
- The threat actors behind Azov tried to frame or troll multiple well-known and respected security researchers.
- Azov acts as a wiper and is capable of backdooring other 64-bit executables on the victim machine.
Azov ransomware is a recently discovered malware family being distributed through pirated software, keygens, and adware bundles. It is leveraging the SmokeLoader botnet for distribution. The initial ransomware executable is dropped under a random file in the Windows temp (%Temp%) folder then executed. Azov scans all drives and encrypts any files that do not have .ini, .dll, or .exe extensions. The malware appends .azov to encrypted files.
Potentially the Work of Hacktivists
Azov ransomware is named after the Ukrainian Azov regiment, a volunteer paramilitary entity. However, no links between the Azov regiment and the malware have been discovered. While the threat actors behind this malware have not been identified, the ransom note points to potential hacktivist activity. The ransom note states the malware is encrypting devices in response to political events. Political issues named include the seizure of Crimea and the threat actor’s perceived view that Western countries are not providing Ukraine with enough assistance in the war against Russia.
Attempts to Frame or Troll Security Researchers
Azov’s ransom note provides no valid details on how to recover files. The note attempts to frame, or perhaps troll, security researchers, telling victims to contact them to recover files. Well-known and respected security researchers, including @hasherezade have posted to clarify they have NO involvement with this ransomware or the threat actors responsible for it.
More Than Just Ransomware
Despite acting as ransomware, Azov functions as a wiper. Further analysis of Azov found that it was manually crafted in Assembly language using FASM. It was apparently meant to be a wiper, as it uses multi-threaded intermittent overwriting. Azov uses a unique pattern to overwrite a file’s contents. In 666-byte chunks, it alternates between overwriting a file and then corrupting data with garbage data. At least one sample analyzed uses a trigger time set to 10:14:30 AM UTC on October 27.
Azov also backdoors any other 64-bit executables found on the victim machine unless their file paths contain certain strings. Azov injects code into these executables so the data wiper will launch if the executable is launched. Backdooring is conducted in a polymorphic way, using different shellcode encoding each time it backdoors a file.
IOCs
PolySwarm has multiple samples associated with Azov.
650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e
5fe41e533a89cbf6c659eb78b221f24c4827b834a877f72c0ee34a5a0fd80b84
You can use the following CLI command to search for all Azov samples in our portal:
$ polyswarm link list -f Azov
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
