“The FBI first learned of Diavol ransomware in October 2021. Diavol is associated with developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan. Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. While ransom demands have ranged from $10,000 to $500,000, Diavol actors have been willing to engage victims in ransom negotiations and accept lower payments.” reads the flash alert published by the FBI. “The FBI has not yet observed Diavol leak victim data, despite ransom notes including threats to leak stolen information.”
TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. Operators continue to offer the botnet through a multi-purpose malware-as-a-service (MaaS) model. Threat actors leverage the botnet to distribute a broad range of malware including info-stealer and ransomware such as Conti and Ryuk. To date, the Trickbot botnet has already infected more than a million computers.
The TrickBot Gang is also behind the development of the BazarBackdoor and Anchor backdoors.
In July, researchers from Fortinet first spotted the new ransomware family, tracked as Diavol, and speculated it might have been developed by Wizard Spider, the cybercrime gang behind the TrickBot botnet.
Fortinet experts noticed similarities between Diavol and Conti threats, but unlike Conti, Diavol doesn’t avoid infecting Russian victims.
In August, IBM X-Force researchers conducted a new analysis of an old variant of the threat that unlike the one analyzed by Fortinet experts appears to be a development version used for testing purposes.
The comparison of the two versions allowed the researchers to get insight into the development process of Diavol and of future versions of the malware.
The analysis conducted by IBM X-Force researchers reinforced the link between Diavol ransomware and the TrickBot malware.
Now the FBI’s report provides technical details about the Diavol Ransomware and its link to the TrickBot gang.
“The Bot ID generated by Diavol is nearly identical to the format used by TrickBot and the Anchor DNS malware, also attributed to Trickbot.” continues the report.
The FBI’s advisory also contains indicators of compromise along with mitigations for Diavol.
The FBI encourages victims of the gang to report information concerning suspicious or criminal activity to their local FBI field office.
The FBI also urges all victims of the Diavol operation, to notify law enforcement of attacks.
(SecurityAffairs – hacking, Diavol ransomware)