Chris Swagler | November 3rd, 2022

Numerous ransomware groups attempt to collect ransoms from companies in exchange for restoring their files. Malicious actors behind the attacks may or may not hold up their side; however, a new Azov ransomware version doesn’t bother. The Azov ransomware group developed a destructive data wiper that is being distributed heavily through pirated software, key generators, and adware bundles attempting to frame security researchers claiming they’re behind the operations. Instead of requesting Bitcoin, it instructs victims to contact security researchers claiming they designed the malware, but it’s another way for ransomware groups to frame the good guys. The ransom note explains that devices are encrypted to protest the seizure of Crimea by Russia, and that Western countries aren’t doing enough in helping Ukraine fight Russia.

Additionally, the ransom note informs victims to contact security researchers to recover files, falsely claiming the researchers are part of the ransomware operation. The security researchers are making it very clear that those listed on the ransom note aren’t associated with the Azov ransomware group and the malware needs to be treated as a destructive wiper instead of ransomware. Even though threat actors are claiming it’s to support Ukraine, researchers already know of a Ukrainian organization impacted by the data wiper. It’s not the first time that security researchers were framed by threat actors with their malware. The Apocalypse ransomware operation renamed one variant ‘Fabiansomware’ after Fabian Wosar in 2016. A Maze ransomware developer released an MBR Locker claiming it was made by Vital Kremez in 2020.

Even though Azov has certain ransomware characteristics and portrays itself as such, it’s more accurately described as a data wiper. After threat actors purchased installs through the SmokeLoader malware, the updated malware began emerging on systems. SmokeLoader is a malware botnet from which other threat actors can rent or purchase “installs” to distribute their own malware on infected devices. SmokeLoader is frequently obtained by people through shady websites that sell fake key generators, software cracks, and game modifications and cheats. The botnet can be used spread various malicious breaching software, including ransomware. SmokeLoader began delivering the Azov Ransomware to victims along with the RedLine Stealer information-stealing malware and the STOP ransomware. Additionally, systems have been doubled-encrypted, by Azov first and then by the STOP ransomware.

When the malware is installed on machines, it normally launches itself from a temporary directory, with the addition of Windows registry keys. The wiper will copy “C:\Windows\Systems32\msiexec.exe to “C:\ProgramData\rdpclient.exe” and patch it to contain the Azov wiper. The wiper can also be configured to launch when Windows begin using the following Registry key, “[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]

“Bandera” = “C:\ProgramData\rdpclient.exe”. The executables search all computer drives for file with no ini, exe, or dll extensions. When it comes across something else, including documents, images, or videos, it encrypts them and appends the .azov file extension to the end.

Azov creates a text document named “RESTORE FILE.txt” in each folder that contains encrypted files. Normally this is when ransomware groups request ransom payment to decrypt the files. However, the text document claims to have been produced by a security researcher and malware analyst whom users are advised to contact via Twitter. Malware authors will frequently attempt to frame researchers. The threat actors’ intentions are to implicate the individuals while causing havoc online. It’s possible that someone will discover a means to decrypt the Azov-encrypted files. People should change their passwords on their online accounts immediately, especially with sensitive information, including online banking, password managers, and email accounts.

With ransomware groups implementing new tactics and techniques to divert attention from them, including framing security researchers for cybercrime, it’s important for companies to always remain alert of the current threat landscape and never trust threat actors because they will always deceive their victims. SpearTip is the trusted provider of breach coaches and specializes in incident response capabilities and handling breaches with one of the fasted response times in the industry. Our certified engineers are continuously working at our 24/7/365 Security Operations Center monitoring companies’ data networks for potential ransomware threats, including the new Azov ransomware. Our ShadowSpear Platform, a cutting-edge integrable managed detection and response tool, uses comprehensive insights through unparalleled data normalization and visualizations to detect advanced ransomware threats.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.