A newly discovered ransomware called Azov is being heavily distributed via pirated software, key generators and adware bundles in an attempt to frame some well-known cybersecurity researchers and the security news website BleepingComputer.
The ransom note included in the ransomware seems to be politically motivated to push western countries into helping Ukraine in their war against Russia. The note claims to have encrypted the file in protest of the seizure of Crimea and frames the aforementioned entities as responsible for the attack, asking the victim to contact them on Twitter to recover their files.
As made clear by Lawrence Abrams of BleepingComputer, none of the Twitter accounts mentioned in the ransom note are responsible for the attack nor do they have the decryption keys to free the files locked up by the malware.
The note doesn’t contain any contact information for the original author meaning there’s currently no way of recovering from an Azov infection and hence the ransomware should be treated as a data wiper for the moment.
Furthermore, while the ransom note claims to take this action in support of Ukraine, BleepingComputer reports at least one Ukrainian organisation being affected by the same data wiper.
Blatant attempt to frame cybersecurity researchers
The campaign is relatively new and has only run for three days at the time of writing. The attacker reportedly bought installs through the SmokeLoader malware botnet, usually distributed through websites offering pirated content including game mods, cheats and key generators, to deliver the data wiper.
Additionally, SmokeLoader is also bundling other malware with the data wiper, including the RedLine Stealer information-stealing malware and the STOP ransomware. There have been cases where victims were first attacked by Azov and then STOP ransomware causing double encryption of their files.
Azov scans the victim’s PC after being dropped under a random file in the Windows %TEMP% folder and encrypts every file that doesn’t end with a .ini, .dll or .exe extension. The data wiper also leaves the aforementioned ransom note in every folder it scans for files.
Security researchers are investigating the ransomware currently, however, as mentioned before there’s no known way of decrypting files held by Azov at the moment. If you were infected, keep in mind that there’s a good chance that other malware attacked your system as well. We recommend changing sensitive online passwords as soon as the infection is discovered.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.