>
A new data wipe malware has been detected, infecting more and more endpoints every day – but most curiously, it pretends to be ransomware (opens in new tab).
The malware is called Azov Ransomware and when it runs on a victim’s device, it overwrites file data with junk, rendering the files unusable. The overwrites are cyclical – the malware would overwrite 666 bytes of data, leave the next 666 intact, and repeat the process.
Even though there is no way to retrieve the corrupt files, there is no decryption key or ransom demands, the malware (opens in new tab) still comes with a ransom note, stating that victims should contact security researchers and journalists for help.
Execution trigger
Another curious aspect of Azov Ransomware is that it comes with a trigger, which makes it sit idly on the endpoint until October 27, 10:14:30 UTC, after which all hell breaks loose.
When this date comes, the victim doesn’t necessarily have to run the exact executable – running almost any program is enough. That’s because the wiper infects all other 64-bit executables on the devices whose file path does not contain these strings:
:Windows
Program data
cache2entries
LayerContent.IE5
User DataDefaultCache
documents and settings
All users,
In other words, running a seemingly benign program would crash the computer and ruin all the data on it.
Azov Ransomware is distributed via the Smokeloader botnet, which is often found in fake piracy software and crack sites.
Whoever is behind this wiper, their motives remain unclear. While some researchers believe the wiper is being used as a cover for other malicious behavior, others believe the motive is simply to troll the cybersecurity community.
Through: BleepingComputer (opens in new tab)