HQ/EMEAFind out how we can help your business
A new ransomware strain dubbed ‘Azov’ ransomware has been found falsely accusing security researchers as the culprit behind its propagation. This new ransomware is a data wiper malware spread through adware bundles, key generators, and cracked software brands.
Based on the observed ransom note left by the ransomware on the victims’ devices, it stated that the campaign is fueled by the protest for the Crimean Peninsula’s seizure and the Western territories not aiding Ukraine against Russia’s invasion.
Furthermore, the ransom note instructs the victim to contact several security firms, including MalwareHunterTeam, Michael Gillespie, BleepingComputer, or Vitali Kremez, to supposedly recover their encrypted files, which implies that these security firms are involved in the Azov ransomware distribution.
The security firms clarified that they have been falsely attributed and do not hold the Azov ransomware decryption keys, as indicated on the ransom notes.
Since it shows that the victims would have no way of contacting the threat actors, researchers believe Azov is merely a data wiper and not a ransomware strain. Some victims have already tried to reach out to the accused security firms, only to be dismayed because the accused cannot apparently help.
Analysis reveals that the data wiper was named after the Ukrainian Azov Regiment. The newest campaign of its operators began in the past few days, where new ‘installs’ have been bought through the SmokeLoader malware botnet that will also help spread the Azov ransomware.
Researchers have seen the SmokeLoader malware propagating Azov, RedLine Stealer, and STOP ransomware. In the campaign, the operators deliver Azov and STOP simultaneously, double encrypting a victim’s computer.
Azov will encrypt all of the victim’s files and append the [.]azov file extension to them. Each file folder will include a text file named RESTORE_FILES[.]txt which victims must open to read the threat actors’ message on how to decrypt the files.
The Azov ransomware is considered destructive as it shows no way of recovering all encrypted files. Moreover, since the threat operators launched other malware strains alongside Azov, the computers must have also been infected with info-stealers to exfiltrate sensitive data.
Thus, users who have been victimised must quickly change their online account passwords, as hackers may only take so long before draining bank accounts and collecting credentials.
