Skip to content

Destructive data wiper falsely frames security researchers

  • by
  • 3 min read

A newly discovered ransomware called Azov is being heavily distributed via pirated software, key generators and adware bundles in an attempt to frame some well-known cybersecurity researchers and the security news website BleepingComputer. 

The ransom note included in the ransomware seems to be politically motivated to push western countries into helping Ukraine in their war against Russia. The note claims to have encrypted the file in protest of the seizure of Crimea and frames the aforementioned entities as responsible for the attack, asking the victim to contact them on Twitter to recover their files. 

As made clear by Lawrence Abrams of BleepingComputer, none of the Twitter accounts mentioned in the ransom note are responsible for the attack nor do they have the decryption keys to free the files locked up by the malware.

The note doesn’t contain any contact information for the original author meaning there’s currently no way of recovering from an Azov infection and hence the ransomware should be treated as a data wiper for the moment. 

Furthermore, while the ransom note claims to take this action in support of Ukraine, BleepingComputer reports at least one Ukrainian organisation being affected by the same data wiper.

In the News: Twitter Blue price hiked to $20; Verified users can lose badge if not subscribed

Blatant attempt to frame cybersecurity researchers

The campaign is relatively new and has only run for three days at the time of writing. The attacker reportedly bought installs through the SmokeLoader malware botnet, usually distributed through websites offering pirated content including game mods, cheats and key generators, to deliver the data wiper. 

Additionally, SmokeLoader is also bundling other malware with the data wiper, including the RedLine Stealer information-stealing malware and the STOP ransomware. There have been cases where victims were first attacked by Azov and then STOP ransomware causing double encryption of their files. 

The ransomware note attributing blame to security researchers. | Source: BleepingComputer

Azov scans the victim’s PC after being dropped under a random file in the Windows %TEMP% folder and encrypts every file that doesn’t end with a .ini, .dll or .exe extension. The data wiper also leaves the aforementioned ransom note in every folder it scans for files. 

Security researchers are investigating the ransomware currently, however, as mentioned before there’s no known way of decrypting files held by Azov at the moment. If you were infected, keep in mind that there’s a good chance that other malware attacked your system as well. We recommend changing sensitive online passwords as soon as the infection is discovered. 

In the News: Malware droppers installing banking trojans caught with 130,000 Play Store downloads

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: