Azov Ransomware technical analysis proves that it is an advanced wiper and not ransomware. The malware is so sophisticated that it overwrites files beyond recognition.
In this context, Check Point Research notes a worrying trend towards sophisticated malware aimed at destroying the infected system and advises companies to take appropriate measures.
In October, the so-called "Azov ransomware" spread through cracked and pirated software and pretended to encrypt victims' files. The malware targeted Windows computers and only pretended to be ransomware. It was actually a wiper that, with its so-called multi-threaded approach, gradually overwrote files in small steps, each with 666 bytes of garbage data.
Two versions of "Azov Ransomware"
The IT community first became aware of Azov as a payload of the SmokeLoader botnet, which is commonly found in fake pirated software and illegal software download sites.
Azov stands out from the multitude of recently discovered ransomware incidents by modifying certain 64-bit programs to run its own code. Modification of executable files is done with polymorphic code to avoid being blocked or detected by static signatures and is also applied to 64-bit files, which would not occur to the average malware author.
Hundreds of new Azov-related samples are submitted to VirusTotal every day, and as of November 2022, the number has already exceeded 17.000. Although the motivation behind the actions of the threat actor distributing Azov in the wild is not yet known, it is now clear that Azov is an advanced malware that aims to destroy the compromised system on which it runs is performed.
In the analysis, CPR distinguished different versions of Azov, one older and one slightly newer. Most of the features of the two versions are identical, but the newer version uses a different ransom note as well as a different file extension for the corrupted files it creates. Both versions contain different blackmail letters that reveal insights into the ideology of the perpetrators.
While the older note is more abstract, describing general situations of life and death and feelings of destruction and loss, the more recent note points directly to the Russo-Ukrainian conflict. She instructs the victim to "draw your attention to the problem" and points out that "the West is not helping Ukraine enough".
Comment
Azov ransomware is not ransomware. It is actually a very advanced and well-written wiper designed to destroy the compromised system it is running on. We performed the first in-depth analysis of the malware, proving its true identity as a wiper. Azov differs from ordinary wipers in that it modifies certain 64-bit programs to run its own code and uses polymorphic code to avoid being detected by static signatures. The malware uses the SmokeLoader botnet and Trojans to proliferate. This is one of the more serious malware to beware of as it is capable of making the system and files unrecoverable. (Eli Smadja, Head of Research at Check Point Software).
More at Checkpoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.