"Azov Ransomware Is a Wiper, Destroying Data 666 Bytes at a Time"

The Azov Ransomware is still widely distributed worldwide, and it has now been proven to be a data wiper that destroys victims' data and infects other programs. A threat actor began distributing 'Azov Ransomware,' which pretended to encrypt victims' files, via cracks and pirated software. Instead of providing contact information to negotiate a ransom, the ransom note instructed victims to contact security researchers and journalists in order to frame them as the ransomware's developers. Ji Vinopal, a Checkpoint security researcher, examined the Azov Ransomware and confirmed that the malware was specifically designed to corrupt data. The malware included a timer that would cause it to remain dormant on the victim's devices until October 27th, 2022, at 10:14:30 AM UTC, after which it would corrupt all data on the device. Vinopal stated that it would overwrite a file's contents and corrupt data in 666-byte chunks. Vinopal explained that for every cycle, exactly 666 bytes are overwritten with random (uninitialized data), and the next 666 bytes are left unchanged. Other 64-bit executables on the Windows device with a file path that does not contain certain strings will be infected, or 'backdoored,' by the data wiper. When malware backdoors an executable, it injects code, causing the data wiper to launch when a seemingly harmless executable is launched. This article continues to discuss recent findings surrounding the Azov Ransomware.

Bleeping Computer reports "Azov Ransomware Is a Wiper, Destroying Data 666 Bytes at a Time"