Azov ransomware continues to be distributed worldwide, and though it has been dubbed a ransomware, the malware is actually a data wiper that destroys files 666 bytes at a time. The malware is being shared through the Smokeloader botnet, which is commonly found in pirated software. When the victim becomes infected, the ransom note that is left behind includes no contact information. Instead, the ransom note contains details about security researchers and infosec journalists, in an apparent attempt by the threat group to frame or harass these security industry figures. Researchers at Checkpoint reversed the Azov wiper and found in their sample that the wiper would lay dormant until October 27th, 2022, at 10:14:30 AM UTC, then would begin to corrupt all files on disk, 666 Bytes at a time. The wiper will also infect or “backdoor” other 64-bit executables on the Windows device, which will cause the wiper to launch when a seemingly harmless executable is run.
Analyst Notes
Downloading software from illegitimate sources always carries a risk. In this case, the malware is being spread via pirated software. Whenever software is being downloaded, it should be from a legitimate source. As a rule of thumb, any paid software being advertised for free is highly likely to include a type of malware or adware with it. Windows Applocker and other security solutions can assist in defining an allow list for software within a secured environment that may limit attempts to download pirated software or mitigate such downloads.
https://www.bleepingcomputer.com/news/security/azov-ransomware-is-a-wiper-destroying-data-666-bytes-at-a-time/
