What is Azov ransomware and how does it differ from typical ransomware?

Azov ransomware is a polymorphic wiper that masquerades as ransomware. Unlike typical ransomware, which encrypts files for ransom, Azov irreversibly wipes data by intermittently overwriting blocks of 666 bytes with random noise, making recovery impossible. It also backdoors 64-bit Windows executables and uses polymorphic techniques to evade detection. Note: Azov does not exfiltrate data or communicate over the network, but its destructive nature means data loss is permanent.

What are the main technical features of Azov ransomware?

Key technical features of Azov ransomware include: manual assembly using FASM, anti-analysis and code obfuscation, multi-threaded intermittent overwriting of data (666 bytes at a time), polymorphic backdooring of 64-bit '.exe' files, a logic bomb trigger set to a specific time, no network activity or data exfiltration, and use of the SmokeLoader botnet for distribution. Note: The wiper avoids certain system paths and file extensions, but all other data under 4GB per file is at risk.

What is the polymorphic backdooring technique used by Azov ransomware?

Azov ransomware backdoors 64-bit '.exe' files by injecting polymorphic shellcode into the code section of executables that meet specific criteria (not excluded, under 20MB, 64-bit, and with enough space at the entry point). The shellcode is re-encrypted for each file, and three encoded data structures are appended to the file. This technique makes detection more difficult. Note: Only 64-bit executables under 20MB are targeted for backdooring.

What anti-analysis and code obfuscation techniques does Azov ransomware use?

Azov employs several anti-analysis and obfuscation methods: copying decrypted shellcode to new memory to thwart software breakpoints, using opaque constants and predicates, syntactic confusion (replacing instructions with non-idiomatic equivalents), and inserting dead (junk) code. These techniques complicate static and dynamic analysis. Note: These methods increase analysis difficulty but do not prevent detection by advanced tools.

What best practices help defend against ransomware threats like Azov?

Recommended practices include prompt patching of vulnerabilities, enforcing least privilege access, network segmentation, regular backups and recovery planning, rigorous monitoring of critical systems, and continuous red teaming and attack simulation to verify controls. For more, see Cymulate's blog on defending against BYOVD attacks. Note: Even with strong defenses, zero-day techniques may still pose a risk; continuous validation is essential.

How does Cymulate help organizations validate defenses against ransomware like Azov?

Cymulate's platform enables organizations to simulate ransomware attacks, validate security controls, and prioritize remediation based on real-world threats. The platform's continuous threat exposure management and immediate threats module allow rapid assessment of new ransomware variants. For example, Hertz Israel reduced cyber risk by 81% in four months using Cymulate. Note: Cymulate provides actionable insights but does not prevent attacks directly; integration with existing controls is required. See the Hertz Israel case study.

What types of threats can Cymulate validate?

Cymulate can validate threats such as malware, phishing, ransomware (including wipers like Azov), advanced persistent threats (APTs), insider threats, network attacks, and web application attacks. The platform simulates diverse attack scenarios for comprehensive security validation. Note: Cymulate's effectiveness depends on the scenarios and integrations selected; coverage may vary by environment.

What security and compliance certifications does Cymulate hold?

Cymulate is SOC2 Type II certified and holds ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications. These attest to Cymulate's adherence to security, privacy, and cloud service standards. Note: Detailed limitations not publicly documented; ask sales for specifics on compliance scope. See Cymulate's security certifications.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps directors, detection engineers, red teams, vulnerability management, GRC/compliance, and IT/cloud teams in organizations of all sizes. It is especially valuable for companies needing to validate defenses against advanced threats like ransomware wipers, prioritize risk, and communicate security posture to leadership. Note: Best fit for organizations with dedicated security teams; smaller organizations may require additional support for full utilization.

How quickly can Cymulate be implemented?

Cymulate is designed for rapid deployment and can be implemented in agentless mode, requiring only basic infrastructure and internet connectivity. Users can start running simulations almost immediately, with no need for additional hardware or complex configuration. Note: Implementation speed may vary depending on organizational readiness and integration requirements.

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model, with fees determined by the package, number of assets, and selected features. Pricing is customized for each organization. For a tailored quote, schedule a demo. Note: Exact pricing is not publicly listed; contact Cymulate for details.

How does Cymulate compare to AttackIQ?

Cymulate offers AI-driven remediation guidance, a daily-updated attack scenario library, and an AI Copilot for automated test creation. AttackIQ focuses on continuous security validation but may lack Cymulate's AI-powered context mapping and breadth of attack simulations. Choose Cymulate for rapid, actionable insights and AttackIQ for organizations already invested in their ecosystem. Note: Cymulate's advanced features may require more initial configuration. See detailed comparison.

How does Cymulate compare to Mandiant Security Validation?

Cymulate provides AI-powered automation, rapid deployment, and a comprehensive attack library with daily updates. Mandiant Security Validation is known for its threat intelligence and integration with Mandiant services. Choose Cymulate for ease of use and automation; choose Mandiant for integration with Mandiant's incident response and threat intelligence. Note: Cymulate may not offer the same level of incident response services as Mandiant. See detailed comparison.

Where can I find more technical resources about ransomware and threat validation?

Access Cymulate's resource hub for technical guides, whitepapers, and case studies. For ransomware-specific information, see the ransomware glossary entry and blog post on ransomware resilience. Note: Some resources may require registration for full access.

Azov Ransomware: A Polymorphic Wiper Masquerading as Ransomware

December 14, 2022

The abundance of samples has allowed analysts to distinguish two different versions of Azov, one older and one slightly newer.
These two versions share most of their capabilities, but the newer version uses a different ransom note, as well as a different file extension for destroyed files (.azov).

Technical Analysis: Highlights

Manually crafted in assembly using FASM
Using anti-analysis and code obfuscation techniques
Multi-threaded intermittent overwriting (looping 666 bytes) of original data content
Polymorphic way of backdooring 64-bit ".exe" files across the compromised system
"logic bomb" set to detonate at a certain time. The sample analyzed below was set to detonate at 10-27-2022 10:14:30 AM UTC
No network activity and no data exfiltration
Using the SmokeLoader botnet and trojanized programs to spread
Effective, fast, and unrecoverable data wiper

Analysis of the Newer Azov Version

The focus is on the original sample of the newer Azov version (SHA256: 650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e — as pointed out above, there is no major difference in functionality compared to the older version). This is a 64-bit portable executable file that has been assembled with FASM (flat assembler), with only 1 section .code (r+x), and without any imports.

Structure of the .code Section

The .code section has three parts, which are most easily seen by looking at its entropy:

A very low-entropy part that appears to consist of plain strings used to construct the ransom note
A high-entropy part containing the encrypted shellcode
A plain code section implementing the unpacking routine

Unpacking Routine

The unpacking routine in the function AllocAndDecryptShellcode() is intentionally created to look more sophisticated than it is. But in reality, it is a simple seeded decryption algorithm using a combination of xor and rol, where key = 0x15C13.

The Wiping Routine

The wiping routine begins by creating a mutex (Local\\azov) to verify that two instances of the malware are not running concurrently.

If the mutex handle is successfully obtained, Azov creates persistence by trojanizing (similar to the backdooring routine) the 64-bit Windows system binary msiexec.exe or perfmon.exe and saving it as rdpclient.exe. A registry entry at SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run is created pointing to the newly created file.

The wiping procedure uses a trigger time - there is a loop where the analyzed sample checks system time, and if it is not equal to or larger than the trigger time, it sleeps 10s and loops again.

Once this logic bomb triggers, the wiper logic iterates over all machine directories and executes the wiping routine on each one, avoiding certain hard-coded system paths and file extensions.
Each file is wiped "intermittently", by which analysts mean a block of 666 bytes is overwritten with random noise, then an identically-sized block is left intact, then a block is overwritten again, and so on — until the hard limit of 4GB is reached, at which point all further data is left intact.

Once the wiping is finished, the new file extension .azov is added to the original filename.

Backdooring Routine

Before traversing the filesystem to search for files to be backdoored, a mutex named Local\\Kasimir_%c is created, with the %c replaced with the letter of the drive being processed.

The function TryToBackdoorExeFile() is responsible for backdooring 64-bit ".exe" files that meet certain conditions.

These specific conditions could be simplified as follows:

Pre-Processing Conditions

It is not a part of the exclude list of filesystem locations
The file extension is ".exe"
The file size is less than 20MB

Processing conditions:

The file is a 64-bit executable file
The PE section containing the Entry Point has enough space for the shellcode implant to be injected in the way of preserving the original Entry Point of PE (the shellcode start address will be placed at the address of the original Entry Point)
File size == PE size (PE size is manually calculated)

The processing conditions are all checked in the function TryToBackdoorExeFile().

Once the file meets all pre-processing and processing conditions, it is considered suitable for backdooring and pushed to function BackdoorExeFile().

Function BackdoorExeFile()

The function BackdoorExeFile() is responsible for the polymorphic backdooring of executable files.
It first obtains the address of the original code section (usually the .text section) and randomly modifies its content in several locations. Before injecting the main blob of shellcode into the modified code section, certain constant values are changed, and the whole shellcode is re-encrypted with the same encryption algorithm and key as used during the unpacking of the malware, described earlier.
After the backdoored file is written back to disk, three encoded data structures are appended to its end, which are effectively resources needed for the ransomware to function (for instance, an obfuscated form of the ransom note).

Despite the polymorphic backdooring, the encryption/decryption algorithm used during the unpacking and backdooring is consistent and can be used for Azov detection.

Anti-Analysis and Code Obfuscation Techniques

Preventing Software Breakpoints

Using routines that copy already decrypted and currently executing parts of shellcode to newly allocated memory and later transferring execution to it will sooner or later result in an exception if software breakpoints are set. In such situations, it is necessary to use hardware breakpoints.

Opaque Constants

Replacing constants with a code routine producing the same resulting constant's value. This can be repeatedly seen in routines responsible for calculating constant offsets rather than using them directly so that a direct call can be replaced with an indirect call.

Syntactic Confusion

Replacing an instruction with semantically equivalent instruction(s) that are not idiomatic or are outright bloat. One example of this is found in the routine responsible for parsing the export directory; another is the repeated replacement of a call with a direct or indirect jmp.

Dead (Junk) Code

Insertion of garbage bytes results in no meaningful instructions or even no instructions at all.

Opaque Predicates

A jz/jnz that appears to be a conditional jump but in practice always meets (or always does not meet) the condition, effectively functioning as an unconditional jump, confusing static analysis.

These two obfuscations can both be seen in the function FindGetProcAddress().

Featured Resources

View More Resources

blog

How to Prioritize Vulnerabilities in 2026: From CVSS to Real Risk

Security teams have more vulnerability data than ever. Scanners find exposures across endpoints, cloud assets, applications, identities and third-party tools. The problem is no

CUSTOMERS

Financial Regulatory Authority Strengthens Security and Gains Continuous Visibility with Cymulate

Limited Visibility and Reliance on Point-in-Time Testing With a lean team of five responsible for securing a complex internal environment,

Read Case Study