Diavol Ransomware
Share this:
The cybercrime group behind the Trickbot botnet released a new strain of ransomware called Diavol combined with Wizard Spider
The Diavol and Conti ransomware payloads were deployed to different systems in a ransomware attack blocked by the Fortinet EDR solution. Two ransomware families are cut from the same fabric, from using asynchronous I / O operations for file encryption queuing to using virtually identical command-line parameters for the same functionality
Inspite of these similarities no other connectivity identified. Instance, there are no built-in controls in Diavol ransomware that prevent payloads from running on Russian target systems like Conti does and no evidences of data exfilteration
Diavol ransomware capabilities
Diavol ransomware encryption procedure uses asynchronous procedure calls (APC) in user mode with asymmetric encryption algorithm and lacks obfuscation
While executed on a compromised machine, the ransomware extracts the code from the PE resource section of the images and loads it into a buffer with execute permissions. The code it extracts amounts to 14 different routines that will be executed in the following order:
- Create an identifier for the victim
- Initialize configuration
- Register with the C&C server and update the configuration
- Stop services and processes
- Initialize the encryption key
- Find all drives to encrypt
- Find files to encrypt
- Avoid recovery by deleting snapshots
- Encryption
- Change desktop wallpaper
Once Diavol ransomware terminates, it will change the background of each encrypted Windows device to a black wallpaper with the following message: “All your files are encrypted! For more information, see README-FOR-DECRYPT.txt”
Additional technical information on Diavol ransomware and indicators of compromise (IOC) can be found at FortiGuard Labs Threat Research Report.
