Azov ransomware asks for Ukraine support

This ransomware took the name of a famous Ukrainian battle squadron – Azov. They are known far away from battlefields of the Russo-Ukrainian war, but mostly in a positive case. Meanwhile, Azov ransomware ciphers users’ files, giving no workable instructions to go with. Ciphered files receive .azov extension and cannot be accessed in a traditional way. Moreover, there is no decryptor tool available at the moment.

The claims like “contact ransomware analysts” look rather as an attempt to show their relation to this cybercrime. Crooks even signed the ransom note with the nickname of the one – Hasherezade. Others mentioned in the ransom note are Michael Gillespie, Vitaly Kremez, and Lawrence Abrams. However, they are not sorcerers and cannon decipher your files.

The exact malware is delivered through SmokeLoader – the backdoor that is also used to deliver STOP/Djvu ransomware and RedLine stealers. Overall, the distribution of this malware relies heavily on cracked software and keygen applications. Since there is no real way to reach Azov operators, this malware is a destructive wiper rather than ransomware. The attacked users have already begun complaining to different resources, including the analysts mentioned in the ransom note. However, the researchers do not yet know how to help the ransomware victims.

Ransomware gets politically preconceived

There’s nothing new in that some ransomware attacks have a political motivation. Russia-related group Conti was claiming responsibility for cyberattacks on governmental organizations of Western countries. Soon after the Russian war against Ukraine started, a certain number of Ukrainian hackers popped out, spreading ransomware to Russia and its allies. Still, Azov ransomware does not look like being politically biased against Russia. It is contrary to what you may think looking at its name.

Its ransom note gives several signs that its creator is Polish (or it is just an attempt to make us think so). It blames the German and US governments for giving no support to Ukraine in the current war – which is far from reality. Both countries are the biggest supplier of different goods and the biggest monetary donors. The calls to “make revolution” with a reminiscence to the “sweet times” of Merkel’s chancellorship and pre-Biden times (i.e., Trump’s presidency) draw up a clear picture. It is obvious who’s the main beneficiary of any drastic changes in the current governments of European countries and the USA. And that’s not a new trick for Russians to impersonate their rivals to spread turmoil.

The post Azov Ransomware Tries to Set Up Cybersecurity Specialists appeared first on Gridinsoft Blog.

In fact, the detected threat is a classic wiper, that is, malware designed to deliberately destroy data on an infected host.

WhisperGate wiper

Such malware is usually used either to mask other attacks and remove important evidence of a hack, or to perform sabotage in order to inflict maximum damage on the victim and prevent it from performing its usual activities, as was the case with the Shamoon, NotPetya or Bad Rabbit attacks.

According to the company, the attacks began on January 13, and the affected systems belonged to several Ukrainian state institutions, as well as non-profit organizations and information technology companies. Similarly to cases of NotPetya and BadRabbit wipers, the new malware also comes with a component that overwrites the MBR and prevents infected systems from booting.

The researchers have not yet been able to determine the vector of malware distribution, and therefore it is unclear whether the attack affected anyone else besides Ukrainian targets.

WhisperGate replaces the usual boot screen with a ransom note, which researchers say contains an amount, a bitcoin address, and a Tox ID to contact the attackers. So far, no payments have been made to the wallet of criminals.

However, experts note that it is useless to pay: even if the victims manage to restore the MBR, the malware deliberately damages files with certain extensions, overwriting their contents with a fixed number of bytes 0xCC, bringing the total file size to 1 MB. The affected extensions are listed below.

3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP file

Microsoft experts have said that so far, they have not been able to link these attacks to any specific hack group, and they are currently tracking the attackers under the ID DEV-0586.

Attacks on Ukrainian sites

At the end of last week, we already wrote that many Ukrainian sites suffered from cyberattacks and were defaced.

As the Ukrainian authorities have now said, Russian hackers are responsible for this attack:

The ministry says that the purpose of this attack is “not only to intimidate the public,” but also “to destabilize the situation in Ukraine by shutting down the public sector and undermining confidence in the government on the part of Ukrainians.”

I also recall that I reported that Russian-speaking hackers attacked the government infrastructure of Poland.

The post Microsoft discovered the WhisperGate wiper attacking Ukrainian users appeared first on Gridinsoft Blog.

It is important to mention that computer viruses are not only “viruses”. Nowadays, the term “computer viruses” is used to describe all types of malicious programs. But, in fact, viruses are just the type of malware – same as backdoors, coin miners, spyware or ransomware. You can read more about why that happened in our article.

The worst computer virus – what is it like?

First, let’s figure out what is meant by the term “the worst computer virus”. Different malware deals different kinds of damage, and it is always unwanted. Viruses can damage your networking configurations, system settings, cipher your files or even break your hardware. But the most dangerous ones considerably deal damage to all elements of your system. Some of such malware aims at making money on you, others – just to make your life harder. Let’s see the top-5 list of the worst computer virus – starting from less dangerous.

5th position. Coin miner trojan

This malware uses your hardware to mine cryptocurrencies, exactly, Monero and DarkCoin. What is the risk for your computer? First of all, it creates a significant load on your hardware – almost 70-90% on both CPU and GPU. That can easily lead to overheating, which never causes a positive impact on the lifespan of your hardware. Moreover, the GPU wear ratio is much higher when it is used for cryptomining purposes. The biggest danger is on laptops – their cooling system is not designed to deal with constantly overloaded hardware.

Another side of the problem is that modern coin miner trojans sometimes have a spyware module. It means that your personal data will not be personal anymore – read the next paragraph.

4th place. Spyware.

Spyware is designed to steal all possible personal information from the victims’ PCs. Location, language setups, cookie files, search history, activity hours data – even your PC configuration will be leaked to the crooks. Depending on the type of attack – massive or individual – this information will be sold to third parties or used for further cyber attacks. Spyware is extremely silent – it tries to stay in your system as long as possible to get more personal information about you. Most examples of this malware type are also able to steal your conversations – so don’t be surprised when you’d see some very private information available for everyone.

Spyware stealthiness makes it a tough nut for antivirus programs. Security tools often struggle to detect spyware correctly with a heuristic engine. Even if it detects one, you will probably see the detection of the “generic” type, which sometimes refers to a false detection and is thus ignored.

3. Banking trojans

What can be worse than getting your personal information stolen? Sure, getting your banking information stolen. And we are talking not only about card numbers and CVV code – they are important, but almost useless without the transaction approval. Modern banking trojans aim at your online banking – exactly, on login and password for it. Having them, crooks are free to manage your money.

Sometimes, banking trojans are combined with other malware – embedded into spyware, rogue software or phishing trojans. Since they aim at seriously protected things – online banking login forms – they are made by professionals. And it is a bad idea to ignore their efficiency – otherwise, you will have to ignore zeros on your banking account. Or, possibly, huge credit lines.

2nd place – Wiper virus

This type of malware was always very rare, but its danger can not be underestimated. Wiper malware is one that destroys your disk partitions. That malware is not about making money on you – it is just for revenge or mischief. Having your disk partition broken, you lose access to all your files and also to your operating system. UEFI is just not able to find the boot record of your OS – all data you have on your disks are just a weird mixture of non-structured bytes. Wiper malware is so rare that some of the anti-malware programs do not even have them in their detection databases.

Such a malicious program needs access to your system at the driver level. Hence, it is obvious to wait for the hazard from the program that pretends to be the driver updater, “system optimization tool”, or other deep-configuration stuff. Overall, such tools are considered dangerous because of their questionable functionality. And the chance to get your logical disks ruined complements this danger.

Worst computer virus ever. Ransomware

What is more painful than to get your disk partitions destroyed? Yes, to get your files ciphered. While partitions can be recovered – thanks to the special tools available for LiveCD launch – files attacked by ransomware are impossible to fix. Exactly, there are decryption tools for several ransomware families, but none of them give you a guarantee that you will get your files back. The guaranteed way to decrypt your data is to pay the ransom – $1000 and more.

Ransomware uses military-grade encryption – AES-256, RHA-1024, RHA-2048, or even ECC. Decrypting it with brute force can take more time than our universe exists. The only lucky chance of getting your files back without paying the ransom is to get encrypted with the flaw-by-design ransomware. The only well-known ransomware family that has flaws in its encryption key is HiddenTear – but its most modern variants have these breaches fixed. Another way to get the decryption key is to wait for the ransomware group to shut down. But even this does not give you any guarantees.

Ransomware also deals heavy damage to your system configurations. To prevent the usage of anti-malware software, it blocks access to the websites of the vendors that are listed on the VirusTotal site. Moreover, it also blocks the launching of antivirus software installation files. It means that your HOSTS files, along with Group Policies, suffered significant changes. If you just manage to remove ransomware, ignoring the system recovery, you will probably see your system malfunctioning.

Share this article and don’t forget to say your opinion on the worst computer virus in the comments. We will add the most interesting variants to the text – so describe them well. Good luck!

The post What is the worst computer virus? Figuring out appeared first on Gridinsoft Blog.