The Trickbot botnet was used by threat actors to spread the Ryuk and Conti ransomware families, experts noticed similarities between Diavol and Conti threats. Unlike Conti, Diavol doesn’t avoid infecting Russian victims.
At the beginning of June, FortiEDR detected and halted a ransomware attack against one of the customers of the security firm. The security firm detected two suspicious files, locker.exe and locker64.dll, that at the time were not found on VirusTotal. locker64.dll was detected as a Conti (v3) ransomware sample, while locker.exe appeared to be completely different and dubbed it Diavol.
Upon infecting the system, the ransomware drops a text ransom note in each folder and threatens victims to leak the stolen files in case they will not pay the ransom. However, Fortinet researchers that analyzed the malware discovered that ransomware operators have yet to implement data-stealing capabilities.
“According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities. Browsing to the URL led to us a website, seen in figures 2 and 3, from which we derived the name for the ransomware.” reads the analysis published by Fortinet.
The Diavol ransomware was compiled with Microsoft Visual C/C++ Compiler, it uses user-mode Asynchronous Procedure Calls (APCs) without symmetric encryption algorithm for encryption, which has worse performance compared to symmetric algorithms.
Upon execution, the malware starts checking for command line arguments to determine the path to scan first, and if encrypt local partitions or network shares.
The ransomware keeps its main routines in bitmap images that are stored in the PE resource section, with a total of 14 routines identified, including one that instructs Diavol to stop services and processes and another to delete shadow copies.
“Currently, the source of the intrusion is unknown. The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to.” concludes the report. As the attack progressed, we found more Conti payloads named locker.exe in the network, strengthening the possibility the threat actor is indeed Wizard Spider. Despite a few similarities between Diavol, Conti, and other related ransomware, it’s still unclear, however, whether there’s a direct link between them. “
(SecurityAffairs – hacking, LinkedIn)