Analysis: Azov Ransomware is a Wiper, not Ransomware
Check Point Research (CPR) releases the first technical analysis of Azov ransomware, proving it to be an advanced wiper and not ransomware. The malware is intricately designed to overwrite files to an unrecognizable point and destroy the compromised system it runs on entirely.
- CPR sees 17,000 Azov-related samples
- Malware is capable of modifying certain 64-bit executables to execute its own code
- CPR identifies two versions of “Azov ransomware”
Check Point Research is releasing its analysis of “Azov ransomware”, proving it to be an advanced wiper and not ransomware. The malware is capable of overwriting files and destroying the compromised system it executes on.
In October, a threat actor began distributing ‘Azov Ransomware’ through cracks and pirated software that pretended to encrypt victims’ files.
CPR sees over 17,000 Azov-related samples submitted to VirusTotal.
- Capable of of modifying certain 64-bit executables to execute its own code
- Seen in two different versions, one older and one slightly newer
- Newer version uses a different ransom note, as well as a different file extension for destroyed files
- Uses SmokeLoader botnet and trojanized programs to spread
- Logic bomb” set to detonate at a certain time
Eli Smadja, Head of Research at Check Point Software says, “Azov ransomware is not ransomware. It’s actually a very advanced and well written wiper, delicately designed to destroy the compromised system it runs on. We have conducted the first deep analysis of the malware, proving its true wiper identity. One thing that sets Azov apart from your garden-variety wipers is its modification of certain 64-bit executables to execute its own code.The modification of executables is done using polymorphic code, so as not to be potentially foiled by static signatures. The malware uses the SmokeLoader botnet and trojanized programs to spread. This is one of the more serious malware to beware of, as it is capable of making the system and files unrecoverable.”
- Backup your data
- Keep your patches up-to-date
- Strengthen your authentication