FortiGuard Labs researchers believe a new strain of ransomware called Diavol is linked to Wizard Spider, operators of the Trickbot botnet.
Researchers report that in June 2021, their security solution blocked an attack that used two different ransomware payloads: Diavol and Conti. The two ransomware families operated similarly in terms of their various features and operations. They shared the same command-line parameters for logging, drives and network shares encryption, network scanning and both use asynchronous I/O operations for file encryption queuing.
Despite all the similarities, the researchers could not make high confidence attribution, as they could not find a direct link between the Diavol ransomware and the Trickbot gang. Besides, Diavol ransomware doesn’t have built-in checks that prevent the payloads from running on Russian systems, but Conti does.
There’s also no evidence that data exfiltration capabilities were used before encryption.
Diavol ransomware’s encrypted procedure uses a user-mode Asynchronous procedure call (APCs) and an asymmetric encryption algorithm. This makes it different from other ransomware families that use symmetric algorithms to significantly accelerate the encryption process.
Diavol doesn’t use obfuscation techniques, but it still manages to hide its main routines inside bitmap images.
The code is extracted from the image’s PE resource section and moves it to a buffer. The code can execute 14 different routines, which include such tasks as Create an identifier for the victim, Initialize configuration Register with the C&C server and update the configuration, Stop services and processes, Initialize encryption key, Find all drives to encrypt, Find files to encrypt, Prevent recovery by deleting shadow copies, and Encryption.
Right before Diavol ransomware is done, it will change the wallpaper of all encrypted Windows devices to an attackers’ black one. And the following message will be displayed: “All your files are encrypted! For more information see README-FOR-DECRYPT.txt”
“Currently, the source of the intrusion is unknown,” Fortinet says. “The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to.”
FortiGuard’s full threat report on Diavol ransomware contains detailed information about the attack and its indicators of compromise.