Ransomware - Azov

Azov
Decryptor Available
No
Description

This ransomware is probably only classified as such because it drops a ransom note. There are two versions of Azov, and neither of the ransom notes indicates that a ransom can be paid to decrypt files. To solidify the point, no communication method is provided, and the files aren't encrypted; they're overwritten in 666-byte intermittent chunks that can't be reversed. Azov is a wiper and doesn't pretend to be ransomware other than the file name - RESTORE_FILES.txt. The contents of the ransom note attempt to pin security researcher Hasherezade as the operator. Also, the note tells victims to contact other security researchers on Twitter, but they had no part in this.

Whatever the ransom note says, the wiper was intended to destroy any system it managed to infect. Upon infection, it would attempt to spread and inject itself into legitimate 64-bit executables, mainly msiexec.exe. Researchers from Check Point Research have discovered over 17,000 executables uploaded to VirusTotal, and as we all know, that's not the entirety of all infections.

Ransomware Type
Wiper
First Seen
Last Seen
Extortion Types
Pseudo-Extortion
Encryption
Type
Other
Additional Encryption
666 bytes intermittently written
File Extension
<file name>.azov
Ransom Note Name
RESTORE_FILES.txt
Samples (SHA-256)
650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e
b102ed1018de0b7faea37ca86f27ba3025c0c70f28417ac3e9ef09d32617f801