Azer CryptoMix Ransomware Variant Operates Offline

There are many different types of cryptocurrency ransomware in circulation. Most of the existing strains often see variants of their own codebase surface. CryptoMix ransomware has been popular over the past year or so, and security researchers came across an new variant called Azer. This particular malware has some intriguing characteristics which are worth discussing.

Azer is an Interesting Breed of Malware

We have seen many different malware and ransomware. In most cases, new variants make life a lot more difficult for both victims and security researchers. The ransomware market will continue to boom over the coming years. With the number of threads increasing every month, things will only get more troublesome.

The Azer variant of CryptoMix ransomware is a good illustration of what we can expect in the future. CryptoMix ransomware has been in circulation for quite some time and the latest Azer variant boasts some interesting changes compared to what we have gotten used to over the past few months. It is an interesting case study of likely trends to come.

First of all, it appears the ransom note of Azer is quite different from what we have seen from CryptoMix ransomware. The name has been changed, and the instructions are brief. Victims are asked to send an email to the criminal before they can receive payment information. This shows Azer is not using a command & control service, which is a new trend we have seen emerge in popularity throughout 2017.

Azer is perhaps one of the first types of ransomware to completely operate in an offline manner. This is unusual, since using online communications is the norm in the malware. Seeing a malware which prefers no network communication is strange but may herald a major change in the ransomware scene.

Just because Azer works completely offline does not mean the encryption will be easy to break. In fact, the malware embeds nearly a dozen different public encryption keys. It is unclear which key is used to encrypt victim files since the process seems to be completely random. In most cases, ransomware uses one RSSA-1024 encryption key. Seeing a new type of malware switch over to using ten different keys is significant. It certainly does not make the job any easier for security researchers.

Ransomware developers are still exploring new options to make their creations even more dangerous. Giving victims fewer chances to decrypt files or restore files from a backup will eventually result in more payments being made. At this time, it is unclear how much victims need to pay to get rid of the Azer malware. This will not be the final CryptoMix variant either, as the criminals will improve their devious craft.