Workings of Destructive Azov Ransomware Revealed
Reading Time: 2 minutes

Cybersecurity researchers have revealed the working of the destructive Azov Ransomware. The ransomware is deliberately designed to corrupt data and “inflict impeccable damage” to compromised systems.

A recent malicious attack, which was based on the notorious hack known as WannaCry, was distributed through other malware loaders such as SmokeLoader. Check Point even described it as an “effective, fast, and unfortunately unrecoverable data wiper,” but few details have been revealed about its origins, making it a concerning cybersecurity issue.

The wiper routine is set to overwrite the file’s contents in alternating 666-byte chunks with random noise, a technique called intermittent encryption that ransomware operators are increasingly using to evade detection and encrypt victims’ files faster.Workings of Destructive Azov Ransomware Revealed_1According to threat researcher Jiří Vinopal, “One thing that sets Azov apart from your garden-variety ransomware is its modification of certain 64-bit executables to execute its own code. The modification of executables is done using polymorphic code, so as not to be potentially foiled by static signatures.”

Azov Ransomware is a type of malware that encrypts files on infected computers and then demands a ransom before restoring them. In addition, it includes a logic bomb – a set of conditions that should be met before activating malicious functions, such as wiping and hacking programs.Workings of Destructive Azov Ransomware Revealed_2“When first encountered, the Azov sample was considered to be skidsware, and not much effort was given to dissecting it,” Vinopal noted. “However, when probed into the details, one can find very advanced techniques — manually crafted assembly of the payloads and executables, injecting payloads into executables in order to backdoor them, and several anti-analysis tricks usually reserved for high-profile books or brand-name cybercrime tools.”

Recent developments show that destructive wiper attacks are increasing. This includes WhisperGate, HermeticWiper, AcidRain, IsaacWiper, and CaddyWiper.

ESET, a security company, has not reported any other wiper virus to date. Fantasy is reportedly spread through supply chain attacks on a software company in Israel. ESET has linked the malware to the group called Agrius.

Related Articles:

Apple Provides End-to-end Encryption For Most iCloud Services
Cryptonite Open Source Ransomware Toolkit Turns Into Accidental Wiper Malware
SIM Swapping Hackers Target Telecom and BPO Companies