Azov ransomware, a newcomer to the malware market, is being propagated via pirated software, key generators, and adware bundles, in an attempt to frame security researchers by claiming they are behind the attack.
The ransom note, named RESTORE_FILES.txt, appears to be politically motivated to push western nations into assisting Ukraine in their war against Russia and claims to have encrypted the file in protest of the seizure of Crimea.
The note falsely claims on Twitter that security researcher Hasherazade designed the data wiper, with the help of Vitali Kremez, Michael Gillespie, Lawrence Abrams, MalwareHunterTeam and also asks victims to contact the researchers for the recovery of the files.
According to Lawrence Abrams of BleepingComputer, none of the researchers mentioned in the ransom note are responsible for the attack nor do they have the decryption keys to free the files locked up by the data wiper.
Furthermore, the note does not include any contact details for the original author meaning there’s currently no way of retrieving from an Azov infection and hence the ransomware should be treated as a data wiper for the moment.
Modus operandi of Azov wiper
In a new campaign started over the past two days, a hacker reportedly purchased installs via the SmokeLoader malware botnet, normally propagated through websites offering pirated content including game mods, cheats, and key generators, to deliver the data wiper.
Additionally, SmokeLoader is also bundling other malware with the data wiper, including the RedLine Stealer info-stealing malware and the STOP ransomware. There have been cases where victims were first attacked by Azov and then STOP ransomware causing double encryption of their files, Bleeping Computer reported.
To mitigate the risks, users should immediately change the passwords on their online accounts, especially those sensitive in nature, such as online banking, password managers, and email accounts.
