FBI Formally Links Diavol Ransomware to TrickBot Group

FBI Formally Links Diavol Ransomware to TrickBot Group

The FBI has identified the developers of the Diavol ransomware as TrickBot Group, the creators of the TrickBot malware.

The TrickBot Group (aka Wizard Spider) is a group of malware developers that have been creating malware infections that have affected corporate networks for years, including Conti and Ryuk ransomware variants. However, the group is best known for developing a notorious banking trojan known as the TrickBot.

In July 2021, FortiGuard Labs researchers discovered the two ransomware variants on a network in a ransomware attack in early June 2021. Apart from that, the researchers also discovered that the two ransomware samples used almost the same command-line and the same asynchronous I/O operations for encryption.

But it was not enough evidence yet to formally link the two operations.

A month later, after analyzing the samples, IBM X-Force researchers were able to connect the Diavol ransomware to the group’s other products, namely Anchor and TrickBot. The FBI now had enough evidence to link the operation of Diavol ransomware to the TrickBot Gang.

“The FBI first learned of Diavol ransomware in October 2021. Diavol is associated with developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan,” the FBI states in a new FBI Flash advisory.

Most likely, the FBI was able to link Diavol to the TrickBot Group after the arrest of Alla Wicht, a Latvian woman involved in developing malware and was responsible for the development of the new TrickBot-linked ransomware.

“Alla Witte played a critical role for the TrickBot operations and based on the previous AdvIntel deep adversarial insight she was responsible for the development of the Diavol ransomware and frontend/backend project meant to support TrickBot operations with the specific tailored ransomware with the bot backconnectivity between TrickBot and Diavol,” Kremez told BleepingComputer. “Another name for the Diavol ransomware was called “Enigma” ransomware leveraged by the TrickBot crew before the Diavol re-brand.”

The FBI’s advisory provides detailed information about the operation of Diavol ransomware. It can be used by security professionals and network administrators to improve their defenses.

Aside from providing details about the virus, the FBI also encourages victims to immediately inform law enforcement agencies about the ransomware infections and avoid paying ransoms.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.