Azer Ransomware

The Azer Ransomware is an update of the CryptoMix or CryptMix Ransomware family and retains the defining feature of using encryption to lock your files so that it can collect ransoms. Besides minor changes to how it formats symptoms such as its text messages, the Azer Ransomware also includes offline features that can damage your files without requiring Internet connectivity. Users should backup their content, when possible, and use anti-malware solutions for eliminating the Azer Ransomware at the earliest opportunity.

A Remix of Data-Locking Tactics

While clones and small revisions of large Trojan families like Hidden Tear are as commonplace as ever, what's easiest for threat actors often results in exploitable vulnerabilities for the anti-malware industry to convert into security and data retrieval solutions. The people maintaining the latest versions of the CryptMix Ransomware appear to be taking steps to counteract these defenses. The latest update, dubbed the Azer Ransomware, uses different keys for its encoding routine, as well as other changes both superficial and internal.

The Azer Ransomware's most important change is a departure from the Command & Control networking features found in the penultimate version of the family, the Mole02 Ransomwar. Rather than using C&C server communications, the Azer Ransomware locks the user's files by selecting one of an internal list of keys for encryption randomly. Consequently, even PCs offline completely are at risk from this threat's attacks, which render select files, by format and location, indecipherable until their owner can decrypt them.

On a more aesthetic level, the Azer Ransomware also creates slightly different text messages to ask for money for its threat actors' decryption help, with e-mail addresses that malware analysts note in previous attacks by related file-encrypting Trojans. The locked files also use new extensions that embed the e-mail address for negotiating, along with the '.AZER' string. Because the Azer Ransomware also encodes the rest of the filename, the user may find it difficult to identify the contents of any locked media.

Stopping Your Files from Getting Mixed Up with Threat Business

It's almost certainly no accident that the Azer Ransomware's release comes fast on the heels of the creation of a free decryption solution for the Mole02 Ransomware, which was the last version of this family to be used against the public. Although malware experts see no encryption obfuscation increased particularly from the Azer Ransomware, its slight differences in the encoding methodology will prevent old decryptor applications from being compatible with its output. For the immediate future, victims of the Azer Ransomware infections only may have backups to keep their files from being locked or be forced to pay the ransom.

Trojan campaigns specializing in data-based hostage-taking most often benefit from the help of e-mail messages, Web browser-based exploits, and con artists gaining access to a server's login credentials. Standard anti-malware products can block all but the latter technique by various means. An appropriate response to an attempted attack includes blocking and quarantining or deleting the Azer Ransomware with a security product that's effective against old versions of the Cryptmix Ransomware, which cuts off the encryption function before it starts.

The Azer Ransomware may be a signal of where threat actors are heading in the future: with less dependence on external resources to commit the same attacks as always. Whether or not its payload philosophy is an outlier, the Trojan can't escape the fact that the simplest way to keep yourself safe is to use a backup, combined with good security programs.

Technical Details