November 8, 2022

The Azov ransomware, which previously framed security researchers in their operations, is still widely used around the world and has acquired a reputation as a data wiper that intentionally destroys the data of victims and infects other programs.

Azov ransomware authors use SmokeLoader to spread their malware, which can take the form of pirated copies of software or games. If the Ransomware malware is installed, it corrupts the system data and leaves a ransom note, which names a group of security researchers as their gang.

Azov ransomware would overwrite the contents of a file and corrupt data in alternating 666-byte chunks, rendering the entire file useless, despite the fact that half of the content was intact. The malicious intent of the threat actor is demonstrated by the use of the number 666 in its data corruption procedure, which is associated with the biblical Devil.

The malware is also said to open a “backdoor” that allows other 64-bit executables on the vulnerable Windows device to run. This path can be used to further destroy the system if desired.

When malware backdoors an executable file, it injects code that causes the data wiper to start when a seemingly harmless executable file is started.

While it is unclear why the threat actor spends money distributing a data wiper, researchers warn that there is currently no cure for the wiper. To avoid infection, users should avoid using cracked software and pirated copies of all files downloaded from the internet.

The sources for this piece include an article in BleepingComputer.