Darkweb’s New Favorite: AzzaSec Ransomware

This image is about AzzaSec ransomware.

AzzaSec Ransomware, developed by the AzzaSec Hacktivist Group, represents a significant cybersecurity threat due to its sophisticated features and destructive capabilities. This ransomware is particularly dangerous because of its fully undetected (FUD) nature and its use in targeted attacks via ransomware as a service (RaaS).

Key Findings

Development and Affiliations: AzzaSec Ransomware was developed by the AzzaSec Hacktivist Group, known for its financial motivations and opposition to Israel and Ukraine. They are allied with Russian groups Noname057(16) and APT44.

Infection Methods: Ransomware is disseminated through two primary methods: compromising remote Windows servers and phishing attacks utilizing a PDF dropper.

Encryption Details: Once infected, the Ransomware encrypts files with the AzzaSec_Encryptor extension using AES encryption and SHA512 to generate keys and IVs. It targets 120 different file formats.

Anti-Detection Capabilities: Ransomware features Anti-VM, Anti-Hosting, Anti-Sandboxing, and Anti-Debugger mechanisms to evade security measures.

Persistence and Extortion: To ensure persistence, the Ransomware places itself in the Startup directory, demanding a $600 payment for decryption. It also changes the system’s background and plays a menacing audio message to pressure victims into paying the ransom.

Detailed Analysis

Attack Chain

Initial Compromise: Involves social engineering through phishing emails with malicious PDF attachments.

Execution: PDF dropper executes commands via Foxit PDF Reader to download and run the Ransomware

Persistence: Ransomware copies itself to the Startup directory.

Encryption:Encrypts files and modifies system settings to prevent recovery.

AzzaSec Hacktivist Group

Foundation: February 28, 2024, Italy-based.

Activities: Includes ransomware attacks, DDoS attacks, exploiting site and server vulnerabilities, and data leaks.

Notable Members: Walter Bishop, Friendied, and NoCry/Dmitry.Ransom.

Features of AzzaSec Ransomware

Development: Created using VB .NET, 10MB in size.

Detection Rate: Low detection rate (1/40 on KleenScan).

Communication: Connects to a Command and Control (C2) server for decryption keys and monitoring compromised systems.

Reverse Engineering and Recovery

Unpacking: The Ransomware is packed with .NET Reactor and unpacked using Net Reactor Slayer.

Dynamic Analysis: Analyzes network connections to detect C2 communications and encrypted file extensions.

Static Analysis: Reveals the use of AES encryption and SHA512 hashing for key and IV generation.

Mitigation Strategies

  1. Do not install applications from unknown sources and senders.
  2. When downloading an application from a site, make sure it is the original and official site.
  3. Avoid using cracked applications.
  4. Be vigilant against phishing emails and ensure the sender and source are reliable.
  5. For files or software you are unsure about but must open, use a VM or Sandbox.
  6. Set up your security software to block the IOCs listed in the IOC section.
  7. Integrate Yara and Sigma rules into your security products.
  8. Request training against social engineering attacks.
  9. Regularly install your Windows updates.
  10. Always backup your critical files.
  11. Always stay alert to current threats.
  12. Use application whitelisting to allow only trusted and authorized programs to run on the system.
  13. Implement appropriate password policies and practices and regularly audit and secure credentials.
  14. Restrict user and application access to the Windows Registry and regularly monitor and audit registry changes.

Detection and Removal

  • Use Yara and Sigma rules to identify and mitigate ransomware threats.
  • Employ reverse engineering tools like dnSpy to extract decryption keys and restore encrypted files.

Conclusion

AzzaSec Ransomware is a potent and evolving threat, necessitating robust cybersecurity measures and vigilant monitoring to mitigate its impact. Through detailed analysis and reverse engineering, encrypted files can be recovered, and the Ransomware’s persistent attempts to compromise systems can be thwarted.

For more information, read the AzzaSec Ransomware Technical Malware Analysis Report.

More posts

This image is about monthly vulnerabilities for September 2024.
This image is about the ServiceNow data leak.
This image is about monthly vulnerabilities for July 2024.
This image is about cyber strategies for the Paris Olympics 2024.
This image is about Russian influence operations targeting the Paris Olympics 2024.
advanced divider

Share this article

Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
advanced divider
Subscribe to our blog newsletter to follow the latest posts