- Check Point Research (CPR) provides under-the-hood details of its analysis of the infamous Azov Ransomware
- Using advanced wipers, Azov is designed to inflict immense damage to the infected machine it runs on
- Check Point Research flags a worrying shift towards sophisticated malware designed to destroy the compromised system, and advises organizations to take appropriate measures
Azov first came to the attention of the information security community as a payload of the SmokeLoader botnet, commonly found in fake pirated software and crack sites. During the past few weeks, Check Point Research (CPR) have shared its preliminary results of investigations into the Azov ransomware on social media, as well as with Bleeping Computer.
Over 5 years ago, the WannaCry attack changed cybersecurity. Its outsized influence on the cyber threat landscape was outstanding and was the 1st global-scaled, multi-vectored cyberattack in the form of an attack encrypting for and foremost, a compromised machine’s files making it unusable, though reversible.
Since then, Ransomware attacks grew in terms of volume, form, and shapes, evolving to different methods and tactics.
Appetite for Destruction: A worrying shift towards wipers
One thing that sets Azov apart from the variety of ransomware events spotted in recent years, is its modification of certain 64-bit executables to execute its own code. The modification of executables is done using polymorphic code, so as not to be potentially blocked or detected by static signatures, and is also applied to 64-bit executables, which the average malware author would not have bothered with.
This aggressive polymorphic infection of victim executables has led to a surge of publicly available files infected with Azov. Every day, hundreds of new Azov-related samples are submitted to VirusTotal, and as of November 2022, has already exceeded 17,000.
Though it is yet to be revealed what motivation lies beneath actions of the threat actor distributing the Azov in the wild, it is now clear that Azov is an advanced malware designed, to put it simply, to destroy the compromised system it executes on.
In our analysis we distinguished 2 different versions of Azov, one older and one slightly newer. The versions share most their capabilities, but the newer version uses a different ransom note, as well as a different file extension for the destroyed files it creates.
Ransom note of the newer version of Azov
Ransom note of the older version of Azov
As the older note is more amorphic, and details general situations of life and death, as well as feelings of destruction and loss, the newer note flags the Russo-Ukrainian conflict directly, allegedly pointing directing the victim to “bring your attention to the problem”, and pointing out how “the west doesn’t help enough Ukraine”.
How to Prevent Ransomware Attacks
A successful ransomware attack can be devastating to a business. Organizations caught unprepared could be left with the choice between paying a ransom demand and writing off the stolen data entirely. There are several actions that a company can take to minimize their exposure to and the potential impacts of a ransomware attack.
Robust Data Backup
The goal of ransomware is to force the victim to pay a ransom in order to regain access to their encrypted data. However, this is only effective if the target actually loses access to their data. A robust, secure data backup solution is an effective way to mitigate the impact of a ransomware attack. If systems are backed up regularly, then the data lost to a ransomware attack should be minimal or non-existent. However, it is important to ensure that the data backup solution cannot be encrypted as well. Data should be stored in a read-only format to prevent the spread of ransomware to drives containing recovery data.
Cyber Awareness Training
Phishing emails are one of the most popular ways to spread ransom malware. By tricking a user into clicking on a link or opening a malicious attachment, cybercriminals can gain access to the employee’s computer and begin the process of installing and executing the ransomware program on it. Frequent cybersecurity awareness training is crucial to protecting the organization against ransomware. This training should instruct employees to do the following:
- Not click on malicious links
- Never open unexpected or untrusted attachments
- Avoid revealing personal or sensitive data to phishers
- Verify software legitimacy before downloading it
- Never plug an unknown USB into their computer
- Use a VPN when connecting via untrusted or public Wi-Fi
WannaCry, one of the most famous ransomware variants in existence, is an example of a ransomware worm. Rather than relying upon phishing emails or Remote Desktop Protocol (RDP) to gain access to target systems, WannaCry spread itself by exploiting a vulnerability in the Windows Server Message Block (SMB) protocol. At the time of the famous WannaCry attack in May 2017, a patch existed for the EternalBlue vulnerability used by WannaCry. This patch was available a month before the attack and labeled as “critical” due to its high potential for exploitation. However, many organizations and individuals did not apply the patch in time, resulting in a ransomware outbreak that infected 200,000 computers within three days. Keeping computers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks.
Strengthening User Authentication
Cybercriminals commonly use the Remote Desktop Protocol (RDP) and similar tools to gain remote access to an organization’s systems using guessed or stolen login credentials. Once inside, the attacker can drop ransomware on the machine and execute it, encrypting the files stored there. This potential attack vector can be closed through the use of strong user authentication. Enforcing a strong password policy, requiring the use of multi-factor authentication, and educating employees about phishing attacks designed to steal login credentials are all critical components of an organization’s cybersecurity strategy.
While the previous ransomware prevention steps can help to mitigate an organization’s exposure to ransomware threats, they do not provide perfect protection. Some ransomware operators use well-researched and highly targeted spear phishing emails as their attack vector. These emails may trick even the most diligent employee, resulting in ransomware gaining access to an organization’s internal systems. Protecting against this ransomware that “slips through the cracks” requires a specialized security solution. To achieve its objective, ransomware must perform certain anomalous actions, such as opening and encrypting large numbers of files. Anti-ransomware solutions monitor programs running on a computer for suspicious behaviors commonly exhibited by ransomware, and if these behaviors are detected, the program can take action to stop encryption before further damage can be done.
Utilize better threat prevention
Most ransomware attacks can be detected and resolved before it is too late. You need to have automated threat detection and prevention in place in your organization to maximize your chances of protection.
- Scan and monitor emails. Emails are a common choice of cybercriminals executing phishing schemes, so take the time to scan and monitor emails on an ongoing basis, and consider deploying an automated email security solution to block malicious emails from ever reaching users.
- Scan and monitor file activity. It is also a good idea to scan and monitor file activity. You should be notified whenever there is a suspicious file in play—before it becomes a threat.