A new destructive data eraser “Azov Ransomware” is widely distributed via pirated software, key generators and adware bundles, trying to frame well-known security researchers by claiming that they are behind the attack.
Azov Ransomware falsely claims to have been created by a well-known security researcher named Hasherazade and lists other researchers, myself and BleepingComputer, as being involved in the operation.
The ransom note, named RESTORE_FILES.txt, states that the devices are encrypted to protest the capture of Crimea and because Western countries are not doing enough to help Ukraine in its war against Russia.
The ransom note tells victims to contact me, BleepingComputer, MalwareHunterTeam, Michael Gillespie or Vitali Kremez on Twitter to recover files, which falsely implies that we are part of the ransomware operation.
To be clear, those listed in the ransom note are not associated with this ransomware and are framed by the threat actor. Therefore, we unfortunately do not have the decryption keys and cannot help you.
Also, since there is no way to contact threat actors to pay a ransom, this malware should be treated as a destructive data eraser rather than ransomware.
Unfortunately, victims have already started contacting BleepingComputer for help recovering files, and while we would love to help, there is no known way to help at this time.
While threat actors claim they are doing this to support Ukraine, BleepingComputer knows of a Ukrainian organization affected by this data eraser.
The wiper takes its name from the The Ukrainian Azov Regiment, a controversial military force believed to have been associated with neo-Nazi ideology in the past.
This isn’t the first time threat actors have tried to indict security researchers for their malware.
In 2016, the Apocalypse ransomware operation renamed one of its variants to Fabiansomware after Fabian Wosar. In 2020, one of the Maze ransomware developers released an MBR Locker, claiming it was created by Vital Kremez.
What we know about the Azov windshield wiper
In a new campaign launched in the past couple of days, a malicious actor appears to have purchased “facilities” through the malicious botnet SmokeLoader to supply the destructive new Azov windshield wiper.
This thing started spreading about 2 weeks ago already.
One (or the only?) method of spreading this crap looks like someone just bought installs into the malware distribution networks / botnets that are used to spread some thieves, STOP/Djvu ransomware , etc.
(1/X) https://t.co/ndcDyoHDTv pic.twitter.com/3Y4vw1LlZq
– MalwareHunterTeam (@malwrhunterteam) October 30, 2022
SmokeLoader is a malicious botnet that other hackers can rent or buy “installations” to distribute their own malware to infected devices. SmokeLoader is usually distributed through websites offering fake software cracks, game mods, cheats and key generators.
In the past few days, SmokeLoader started delivering new “Azov Ransomware”, along with other malware [VirusTotal]such as RedLine Stealer information-stealing malware and STOP ransomware.
BleepingComputer is aware that victims are double-encrypted, first with Azov and then with STOP ransomware, as SmokeLoader delivered both simultaneously.
The initial ransomware executable [VirusTotal] will be dropped as a random file in Windows temp folder (%Temp%) and executed.
Once launched, the wiper will copy C:WindowsSystem32msiexec.exe to C:ProgramDatardpclient.exe [VirusTotal] and fix it to also contain the Azov wiper. Additionally, the wiper can be configured to start when Windows starts using the following registry key.
“Bandera” = “C:ProgramDatardpclient.exe”
The wiper will now scan all drives on the computer and encrypt any file that does not have the .ini, .dlland .EXE expansions.
When encrypting files, it will append the .azov file extension to the names of encrypted files. For example, 1.doc is encrypted and renamed to 1.doc.azov as shown below.
In each folder scanned for files, the wiper will create text files named RESTORE_FILES.txt that contain a message from the threat actor, as mentioned earlier in the article.
A previous version of the wiper found by MalwareHunterTeam used a different ransom note with a much darker message.
While the ransomware will be scanned by researchers for encryption weaknesses, at this stage the ransomware should be considered destructive as there is no way to contact threat actors and recover decryption keys .
We will update this article if a method is discovered to recover files for free.
However, if this data eraser has encrypted your data, you have probably also been infected with other malware, such as information-stealing Trojans.
Therefore, you should immediately change passwords to your online accounts, especially those of a sensitive nature, such as online banking, password managers, and email accounts.