Wow! Guess I’m getting an early start on next year’s Halloween scary tales! This ransomware destroys 666 bytes of data at a time!

According to BleepingComputer (Azov Ransomware is a wiper, destroying data 666 bytes at a time, written by Lawrence Abrams), the Azov Ransomware continues to be heavily distributed worldwide, now proven to be a data wiper that intentionally destroys victims’ data and infects other programs.

Last month, a threat actor began distributing malware called ‘Azov Ransomware’ through cracks and pirated software that pretended to encrypt victims’ files.

However, instead of providing contact info to negotiate a ransom, the ransom note told victims to contact security researchers and journalists to frame them as the developers of the ransomware. As there was no contact info, and the listed contacts had no way of helping victims, it was safe to assume that the malware was a data wiper.

That assumption was confirmed by Checkpoint security researcher Jiří Vinopal, who analyzed the Azov Ransomware and confirmed to BleepingComputer that the malware was specially crafted to corrupt data.

The malware included a trigger time that would cause it to sit dormant on the victim’s devices until October 27th, 2022, at 10:14:30 AM UTC, which would then trigger the corruption of all data on the device.

Vinopal says it would overwrite a file’s contents and corrupt data in alternating 666-byte chunks of garbage data. The number 666 is commonly associated with the biblical ‘Devil,’ clearly showing the malicious intent of the threat actor. In other words, this ransomware destroys 666 bytes of data at a time!

“Each cycle exactly 666 bytes are being overwritten with random (uninitialized data) and the next 666 bytes are left original,” Vinopal told BleepingComputer.

“This works in a loop, so wiped file structure would look like this: 666 bytes of garbage, 666 bytes original, 666 bytes of garbage, 666 bytes original, etc…”

To make matters even worse, the data wiper will infect, or ‘backdoor,’ other 64-bit executables on the Windows device whose file path does not contain the following strings:

• :\Windows
• \ProgramData\
• \cache2\entries
• \Low\Content.IE5\
• \User Data\Default\Cache\
• Documents and Settings
• \All Users

When backdooring an executable, the malware will inject code that will cause the data wiper to launch when a seemingly harmless executable is launched.

Today, the threat actor continues distributing the malware through the Smokeloader botnet, commonly found in fake pirated software and crack sites.

It is unclear why the threat actor is spending money to distribute a data wiper. However, theories range from it being done to cover up other malicious behavior or simply to ‘troll’ the cybersecurity community.

Regardless of the reason, victims who are infected with Azov Ransomware will have no way of recovering their files, and as other executables are infected, they should reinstall Windows to be safe – not to mention reset any passwords.

So, what’s more surprising – that this ransomware destroys 666 bytes of data at a time, or that someone didn’t develop ransomware to do this sooner? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.