Threat Watch

Researchers Release More Details about Azov as a Polymorphic Wiper

On Monday researchers from Check Point Research released a detailed report on their dissection of Azov ransomware. As reported in November, the malware operates as a wiper, overwriting every other 666-byte block with random data for the first 4 gigabytes in a file, and in older versions attempted to masquerade as security researchers via the “ransom” note. The malware was configured as a logic bomb, set to activate on October 27th 2022 at 10:14:30 UTC. Check Point Research reports that over 17,000 samples have been uploaded to VirusTotal, due in part to the newly discovered polymorphic nature of the malware. It uses its polymorphic code to modify 64-bit executables in an attempt to avoid signature-based detection. Newer versions of the ransomware have given up the ransom note pretending to be security researchers and instead adopts a more sinister tone.

Reverse engineering analysis suggests that the malware was written entirely in Assembly, implying that development of the malware was performed by a more advanced, experienced developer than initial analysis suspected. It also used anti-analysis techniques to defeat the use of software breakpoints, as well as several techniques to add confusion to the analyst performing the reverse engineering.

Our previous Threat Watch article on Azov is here:


Detection of a wiper such as this is made very difficult due to its polymorphic nature and its time-based logic trigger. It is critical for companies to maintain backups and frequently test recovery of those backups in order to help protect against the damage caused by a wiper like this. Further, companies should perform analysis on infected machines to attempt to identify when initial infection occurred to either restore to a non-infected backup or to know where to look to clean up infected backups.