The cybercrime group behind the Trickbot botnet released a new strain of ransomware called Diavol combined with Wizard Spider

The Diavol and Conti ransomware payloads were deployed to different systems in a ransomware attack blocked by the Fortinet EDR solution. Two ransomware families are cut from the same fabric, from using asynchronous I / O operations for file encryption queuing to using virtually identical command-line parameters for the same functionality

Inspite of these similarities no other connectivity identified. Instance, there are no built-in controls in Diavol ransomware that prevent payloads from running on Russian target systems like Conti does and no evidences of data exfilteration

Diavol ransomware gate site

Diavol ransomware capabilities

Diavol ransomware encryption procedure uses asynchronous procedure calls (APC) in user mode with asymmetric encryption algorithm and lacks obfuscation

While executed on a compromised machine, the ransomware extracts the code from the PE resource section of the images and loads it into a buffer with execute permissions. The code it extracts amounts to 14 different routines that will be executed in the following order:

  • Create an identifier for the victim
  • Initialize configuration
  • Register with the C&C server and update the configuration
  • Stop services and processes
  • Initialize the encryption key
  • Find all drives to encrypt
  • Find files to encrypt
  • Avoid recovery by deleting snapshots
  • Encryption
  • Change desktop wallpaper
Diavol ransomware wallpaper

Once Diavol ransomware terminates, it will change the background of each encrypted Windows device to a black wallpaper with the following message: “All your files are encrypted! For more information, see README-FOR-DECRYPT.txt”

Additional technical information on Diavol ransomware and indicators of compromise (IOC) can be found at  FortiGuard Labs Threat Research Report.