Azov Ransomware is a wiper, not ransomware

Spread the love

New Delhi: Check Point Research (CPR) released its first technical analysis of Azov ransomware, proving it to be an advanced wiper and not ransomware.

Azov ransomware – a malware intricately designed to overwrite files to an unrecognisable point and destroy the compromised system it runs on entirely, as per Check Point Research’s technical analysis.

  • CPR sees 17,000 Azov-related samples
  • Malware is capable of modifying certain 64-bit executables to execute its own code
  • CPR identifies two versions of “Azov ransomware”

Azov ransomware is an advanced wiper malware and not ransomware, capable of overwriting files and destroying the compromised system it executes on.
 
In October, a threat actor began distributing ‘Azov Ransomware’ through cracks and pirated software that pretended to encrypt victims’ files.

“Azov ransomware is not ransomware. It’s actually a very advanced and well written wiper, delicately designed to destroy the compromised system it runs on,” said Eli Smadja, Head of Research – Check Point Software

“We have conducted the first deep analysis of the malware, proving its true wiper identity. One thing that sets Azov apart from your garden-variety wipers is its modification of certain 64-bit executables to execute its own code,” added Smadja.

“The modification of executables is done using polymorphic code, so as not to be potentially foiled by static signatures. The malware uses the SmokeLoader botnet and trojanised programs to spread,” Smadja explained how this wiper malware has been programmed to be spared.

This is one of the more serious malware to beware of, as it is capable of making the system and files unrecoverable., according to Smadja.

CPR claimed it saw over 17,000 Azov-related samples submitted to VirusTotal. Regarding this new malware, the analysis has listed down key details.
 
Wiper details:

  • Capable of modifying certain 64-bit executables to execute its own code
  • Seen in two different versions, one older and one slightly newer
  • The newer version uses a different ransom note, as well as a different file extension for destroyed files
  • Uses SmokeLoader botnet and trojanised programs to spread
  • Logic bomb” set to detonate at a certain time

Leave a Reply

Your email address will not be published. Required fields are marked *