Security researchers around the world are getting framed with the wild emergence of Azov Ransomware, a malicious data wiper spread via third-party downloads…

Continue reading
Azov Ransomware, a newly emerged data wiper actively spreading through pirated software, key generators, & adware bundles, while falsely attributing the attack to high-profile security researchers. This includes the prominent names of Hasherazade, BleepingComputer, and lists other independent security researchers involved in the ongoing operation. RESTORE FILES.txt ransom note claims that devices have been encrypted in response to Russia's annexation of Crimea and Western nations' failure to adequately support Ukraine in its battle with Russia.

*Azov Ransomware data-wiper malware ransom note*
The ransom note instructs all the possible victims to reach out to Bleepingcomputer, Hasherazade, MalwareHunterTeam, Michael Gillespie, and Vitali Kremez in order to retrieve their files, resulting them in a belief that these twitter accounts of the security researchers are closely affiliated with the ransomware operation.
According to BleepingComputer, refuting all the claims of association with the ransomware mentioned in the ransom note are completely false and moreover misleading the victims in a malicious plot by framing security researchers for the ransom.
Additionally, the malware should be viewed as a destructive data wiper rather than ransomware since there is no method to contact the threat actors to pay a ransom. Despite the fact that the threat actors say they are doing this in favor of Ukraine, BleepingComputer has information inferring at least one Ukrainian firm was hit by this data wiper.
The malware has derived its identity from the notorious Ukrainian Azov Regiment, which has been linked to neo-Nazism in the past. After Fabian Wosar, a member of the Apocalypse ransomware operation, in 2016, one of its versions was called Fabiansomware. One of the Maze ransomware creators in 2020 developed an MBR Locker and falsely claimed that Vital Kremez created it.
Over the last two days, a new campaign has emerged, with the new devastating Azov wiper being distributed through 'installs' bought by a threat actor via the SmokeLoader malware botnet.
About two weeks ago, this began to spread. Buying installations on malware distribution networks/botnets used to propagate certain stealers, the STOP/Djvu ransomware, etc. seems to be one of the spreading ways (perhaps the only one?). *October 30, 2022 — MalwareHunterTeam (@malwrhunterteam)*
For the purpose of spreading their own malware to infected devices, other threat actors may hire or purchase 'installs' from the SmokeLoader botnet. The SmokeLoader malware is often spread through websites that provide pirated software cracks, game hacks, cheats, and key generators.
The new 'Azov Ransomware' has been distributed by SmokeLoader during the last several days, along with other malware VirusTotal Including the RedLine Stealer data-stealing malware and the STOP ransomware.
We have discovered that the victims who were double-encrypted by SmokeLoader, which spread both the Azov and STOP ransomware at the same time.
It will then dump the ransomware's main executable VirusTotal in the Windows temporary (%Temp%) folder and run it.
Once activated, the wiper will move the file C:WindowsSystem32msiexec.exe to C:ProgramDatardpclient.exe virus toal and patch it so that it also contains the Azov wiper. In addition, the following Registry entry may be used to have the wiper run automatically whenever Windows boots:
`[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]` Bandera is shorthand for `"C:ProgramDatardpclient.exe."`
The computer's disks will now be scanned by the wiper, and all files not ending in.ini,.dll, or.exe will be encrypted.
When files are encrypted, it adds the.azov extension at the end of the file name. Below is an example of how 1.doc may be encrypted and renamed as 1.doc.azov.
As was previously revealed in the article, the wiper will produce text files in each scanned folder with the name RESTORE FILES.txt that carry a message from the threat actor.
MalwareHunterTeam discovered an earlier variant of the wiper that employed a ransom note with a considerably more ominous tone.

*Azov data wiper previous iteration message*
Researchers will examine the ransomware to look for flaws in the encryption, but until such flaws are found, the ransomware should be deemed harmful since there is no method to contact the threat actors and retrieve decryption keys. If this data wiper encrypts your files, however, you were very certainly infected with other malware as well, such as a trojan horse designed to steal sensitive information. Thus, it is imperative that you immediately change the passwords for all of your online accounts, particularly those that contain critical information.

Suspected China and India nexus actors both compromised Balochistan Police systems, planting malware in a public complaint portal used by citizens.