The expected modus operandi of ransomware is that it renders your files inaccessible in some capacity (e.g. encrypting your files), but to recover your contents, you’ll have to pony up your hard-earned money before the cybercriminals relinquish your data. Azov Ransomware is a bit of a misnomer; it doesn’t demand ransom from innocent targets. Instead, it wipes victims’ data and requests that they contact certain security researchers and journalists, framing them as the masterminds behind the malware (h/t Bleeping Computer).
The note issued to victims of Azov Ransomware
A programmer known as @hasherezade is one of the victims of framing with this Azov Ransomware fiasco. In late October, the programmer took to Twitter to clear their name. “I am not in any ways affiliated with Azov (or any other #ransomware). It’s a common practice among cybercriminals to try to frame security researchers.” Within the tweet, you can read the note that’s issued to Azov Ransomware victims. Funnily enough, even Bleeping Computer was framed. As such, the tech journalism outlet had to clear its name, too. “To be clear, BleepingComputer and myself are not affiliated with ‘Azov’ ransomware or any other malware,” Editor-in-Chief of Bleeping Computer Lawrence Abrams said in a tweet. “Sadly, people have already contacted me to receive help decrypting files, including a victim in Ukraine, and we have no way of helping at this time.”
How do victims get infected with Azov Ransomware?
According to Bleeping Computer, this malware continues to be widely distributed around the world. As it turns out, people have gotten their systems infected with Azov Ransomware after pirating software that masquerades as another application. The malware, according to Check Point security searcher Jiří Vinopal, is a new “destructive data wiper” that is designed to overwrite chunks of data in loops of 666 bytes. The number 666 is often associated with the devil, which hints that the threat actor’s intentions are less than noble. To add salt to injury, not only can Azov wipe data, but it is also capable of infecting other programs on victims’ systems. As of this writing, no one knows why the cybercriminal is targeting security researchers and tech journalists, but the most popular theory is that this threat actor is nothing more than a malicious troll.