Azov ransomware continues to be distributed worldwide, and though it has been dubbed a ransomware, the malware is actually a data wiper that destroys files 666 bytes at a time. The malware is being shared through the Smokeloader botnet, which is commonly found in pirated software. When the victim becomes infected, the ransom note that is left behind includes no contact information. Instead, the ransom note contains details about security researchers and infosec journalists, in an apparent attempt by the threat group to frame or harass these security industry figures. Researchers at Checkpoint reversed the Azov wiper and found in their sample that the wiper would lay dormant until October 27th, 2022, at 10:14:30 AM UTC, then would begin to corrupt all files on disk, 666 Bytes at a time. The wiper will also infect or “backdoor” other 64-bit executables on the Windows device, which will cause the wiper to launch when a seemingly harmless executable is run.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in