The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Azov Ransomware Built to Wipe Data

Nov 17, 2022 1:36:37 PM / by PolySwarm Tech Team

AZOV_Blog

Executive Summary

Azov ransomware is a recently discovered malware family being distributed through pirated software, keygens, and adware bundles. It acts as a wiper and is capable of backdooring 64-bit executables. It also uses a unique pattern for overwriting files.

Key Takeaways

  • Azov ransomware is distributed via SmokeLoader and is found in pirated software, keygens, and adware bundles.
  • The threat actors behind Azov tried to frame or troll multiple well-known and respected security researchers. 
  • Azov acts as a wiper and is capable of backdooring other 64-bit executables on the victim machine.
What is Azov?

Azov ransomware is a recently discovered malware family being distributed through pirated software, keygens, and adware bundles. It is leveraging the SmokeLoader botnet for distribution. The initial ransomware executable is dropped under a random file in the Windows temp (%Temp%) folder then executed. Azov scans all drives and encrypts any files that do not have .ini, .dll, or .exe extensions. The malware appends .azov to encrypted files.

Potentially the Work of Hacktivists
Azov ransomware is named after the Ukrainian Azov regiment, a volunteer paramilitary entity. However, no links between the Azov regiment and the malware have been discovered. While the threat actors behind this malware have not been identified, the ransom note points to potential hacktivist activity. The ransom note states the malware is encrypting devices in response to political events. Political issues named include the seizure of Crimea and the threat actor’s perceived view that Western countries are not providing Ukraine with enough assistance in the war against Russia.

Attempts to Frame or Troll Security Researchers
Azov’s ransom note provides no valid details on how to recover files. The note attempts to frame, or perhaps troll, security researchers, telling victims to contact them to recover files. Well-known and respected security researchers, including @hasherezade have posted to clarify they have NO involvement with this ransomware or the threat actors responsible for it.

More Than Just Ransomware
Despite acting as ransomware, Azov functions as a wiper. Further analysis of Azov found that it was manually crafted in Assembly language using FASM. It was apparently meant to be a wiper, as it uses multi-threaded intermittent overwriting. Azov uses a unique pattern to overwrite a file’s contents. In 666-byte chunks, it alternates between overwriting a file and then corrupting data with garbage data. At least one sample analyzed uses a trigger time set to 10:14:30 AM UTC on October 27.

Azov also backdoors any other 64-bit executables found on the victim machine unless their file paths contain certain strings. Azov injects code into these executables so the data wiper will launch if the executable is launched. Backdooring is conducted in a polymorphic way, using different shellcode encoding each time it backdoors a file.

IOCs

PolySwarm has multiple samples associated with Azov.

650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e

5fe41e533a89cbf6c659eb78b221f24c4827b834a877f72c0ee34a5a0fd80b84


You can use the following CLI command to search for all Azov samples in our portal:

$ polyswarm link list -f Azov

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Ukraine, Threat Bulletin, Ransomware, Azov

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts