AzzaSec Ransomware Technical Analysis Report

Download Report

As ThreatMon, we strive to prevent potential malicious activities by informing individuals, companies, firms, institutions, and organizations about current threats through our reports, posts, and analyses.

AzzaSec Ransomware is a RaaS (Ransomware as a Service) developed by the AzzaSec Hacktivist Group. This malware can also be used by the group to attack targeted systems. The ransomware was developed by threat actors using aliases “WalterBishop_AzzaSec” and “NoCry/Dmitry.Ransom” under the leadership of AzzaSec Group Leader “Friendied.”

Key findings include:

AzzaSec ransomware is dangerous because it is particularly FUD (Fully UnDetectable) and is used by a group.
Two different infection scenarios have been identified in the ransomware infection process.
It has been found that they use a PDF dropper in the infection process, which downloads and executes AzzaSec Ransomware on the system, avoiding detection by many security software products.
AzzaSec Ransomware has Anti-VM/Anti-Hosting/Anti-Sandboxing/Anti-Debugger features.
To maintain persistence on the system, AzzaSec Ransomware moves itself to the Startup directory. The ransomware becomes active repeatedly during each Windows login process.
As ThreatMon, we successfully obtained the decryption key by using reverse engineering on this malware and provided a detailed step-by-step explanation in the report.

Relevant Reports

We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields: