It has ransomware to its name, but it is a data wiper. Named Azov Ransomware, this new data wiper is attempting to frame renowned researchers in its attacks.
Diving into details
- Azov Ransomware falsely claimed that a security researcher, named Hasherazade, created it.
- The data wiper is being propagated via pirated software, adware bundles, and key generators.
- The ransom note asks victims to contact some well-known researchers on Twitter, claiming that they were part of the operation.
- Researchers and organizations in the foray include MalwareHunterTeam, BleepingComputer, Lawrence Abrams, Michael Gillespie, and Vitali Kremez.
About Azov Ransomware
- The data wiper takes its name from the Ukrainian Azov Regiment. The campaign has been active for the last two days.
- The attacker, reportedly, bought installs through SmokeLoader to deploy Azov Ransomware. Along with the wiper, SmokeLoader delivers RedLine Stealer and STOP ransomware.
- The data wiper scans all computer drives and encrypts any file that doesn’t have the .exe, .dll, and .ini extensions.
Why this matters
- The threat actors are claiming that they are doing this as a protest against Crimea’s seizure but Bleeping Computer is aware of a Ukrainian victim.
- The victims have already started contacting the researchers for help with decrypting the files.
- Furthermore, there is no way for victims to contact the threat actors. Therefore, Azov Ransomware should be treated as a destructive data wiper and not some ransomware.
The bottom line
While researchers are analyzing Azov Ransomware to find weaknesses in its encryption, at this point, it is destructive and there’s no way to get a decryptor. Moreover, the researchers have warned that if your system is infected with this data wiper, you likely have other info-stealers, too, in your systems.