A novel data wiper malware emerged last month in October that was framing cybersecurity researchers as the people behind the attack. Further analysis of the Azov data wiper by Checkpoint security researcher Jiří Vinopal has now confirmed that it’s a destructive data wiper encrypting 666 bytes of data at a time.
The ransom note included in the ransomware seemed to be politically motivated to push western countries into helping Ukraine in its war against Russia. The note also claimed to have encrypted the files in protest of the seizure of Crimea and framed prominent cybersecurity researchers and security news website BleepingComputer as responsible for the attack, asking the victim to contact them on Twitter to recover their files.
As reported by the BleepingComptuer, Vinopal’s analysis not only confirms that the malware is in fact a malicious data wiper, but also that the files encrypted are also unrecoverable. The malware works by overwriting a file’s contents and corrupting the data in alternating chunks of 666 bytes of uninitialised data.
To further inflict more damage, the data wiper backdoors any 64-bit executables found on the infected system. This means that every time an infected executable file runs, the backdoor launches the data wiper further encrypting the files.
The only executable files left out of this backdoor process are the ones whose file paths don’t contain the following strings:
Documents and Settings
This means that even if the data wiper doesn’t run on its own, it can spring into action when a seemingly harmless executable file is launched, as Windows systems more often than not default to installing programs in the aforementioned directories.
Additionally, the malware also included a trigger time causing it to stay on the victim’s machine dormant until October 27, 2022, at 10:14:30 AM UTC. Once the trigger time came, the data wiper automatically started destroying files suggesting that the whole scheme was planned well ahead of time.
To make matters worse, the malware is being distributed through the Smokeloader botnet, commonly found on sites promoting cracked software and mods as well as pirated software. This means that there’s a good chance that each victim’s computer has been infected with malware other than Azov including password or information-stealing malware and Redline backdoors.
The threat actor behind the data wiper remains unknown. It’s also unclear at the moment why the threat actor is spending money to spread a data wiper with a fake message and one that doesn’t extract any data from the target or demands a ransom. Theories range from cybercrime coverups to simply trolling the cybersecurity community.
Victims infected with the data wiper, unfortunately, can’t recover their files and since it comes from the Smokeloader botnet, a full Windows reinstall is recommended in addition to resetting passwords for any email and bank accounts or any other sensitive information.
For clarification, any of the security researchers mentioned in the ransom note or BleepingComputer aren’t associated with the ransomware and can do nothing to decrypt the files. Additionally, while the data wiper is named after Ukraine’s Azov military regiment, it’s unlikely to be affiliated with the country.