Check Point security researchers recently described the Azov ransomware as an “effective, fast, and unfortunately unrecoverable data wiper,” noting that the malware seems far more focused on destroying data than on any effort to demand a ransom.
As Check Point’s Jiří Vinopal put it, “Be careful about this one… If you get infected -> System is basically dead.”
BleepingComputer’s Lawrence Abrams noted that the malware’s ransom note falsely claims it was created by Polish security researcher Hasherezade, and directs victims to reach out to her as well as BleepingComputer, Abrams, MalwareHunterTeam, Michael Gillespie, and other security researchers to recover files.
Azov is the latest evidence that ransomware developers could move away from encrypting data and instead stealing it and destroying it outright (see Data Exfiltration: Symantec Warns of Exbyte Threat as Hive Group Leaks Tata Data). While the motive for such a switch would be to force victims to pay ransom, in the case of Azov, the motive seems simply malicious.
Framing Researchers
In addition to implicating the security researchers, the malware seems designed to frame Ukraine – not only is it named after the Azov Regiment, but the ransom note claims it’s being distributed because “the west doesn’t help enough Ukraine.”
In response, Hasherezade tweeted, “To whomever it concerns: I am NOT in any ways affiliated with Azov (or any other #ransomware). It’s a common practice among cyber criminals to try to frame security researchers.”
Abrams similarly wrote, “To be clear, BleepingComputer and myself are not affiliated with ‘Azov’ ransomware or any other malware. Sadly, people have already contacted me to receive help decrypting files, including a victim in Ukraine, and we have no way of helping at this time.”
“This ransomware should be considered destructive at this time, as there is no way to contact the actual threat actors distributing the ransomware,” Abrams added.
Unclear Motive for Attacks
MalwareHunterTeam noted that the ransomware is being spread via paid botnets that are also used to spread the STOP/Djvu ransomware. They asked, “Anyway, can someone try explain why tf anyone would spend money to buy installs to get a destructor / wiper / anything you want to call this s**t, on the computers of mostly poor peoples, who just probably got lots of important data/files stolen and got a real ransomware too?”
One possible answer, they suggested, might be that “it was created to be used in some targeted cases and then mass spreading it is just a ‘decoy’ attempt.”
Check Point and Vinopal said the malware corrupts data in 666-byte chunks:
“We took a look at #Azov #Ransomware — a new destructive data wiper:
– Manually crafted in Assembly using FASM
– Multi-threaded intermittent overwriting (looping 666 bytes) of original data content
– Effective, fast, and unfortunately unrecoverable data wiper.”
If infected, there’s no way to recover encrypted files, so victims should reinstall Windows to be safe. And because the same botnet that’s distributing Azov is also distributing other malware, Abrams suggested that victims should reset all sensitive passwords as well.
Venus Ransomware Targets Healthcare
That unfortunately is not the only bad news in ransomware this week. The U.S. Department of Health and Human Services warned that Venus ransomware is targeting healthcare organizations in the U.S.
The Health Sector Cybersecurity Coordination Center (HC3) said it “is aware of at least one healthcare entity in the United States falling victim to Venus ransomware recently. The threat actors behind Venus ransomware operations are known to target publicly exposed Remote Desktop Services to encrypt Windows devices. This report provides additional information, indicators of compromise, techniques and corresponding mitigations associated with Venus ransomware.”
Healthcare ransomware attacks are particularly deadly. A recent Ponemon-Proofpoint survey found they lead to increased patient mortality in a quarter of victims.
Read next: How to Recover From a Ransomware Attack
