Wizard Spider, the cybercrime gang behind the TrickBot botnet, is believed to be the author of a new ransomware family dubbed Diavol, Fortinet researchers report.
Researchers from Fortinet reported that a new ransomware family, tracked as Diavol, might have been developed by Wizard Spider, the cybercrime gang behind the TrickBot botnet.
The Trickbot botnet was used by threat actors to spread the Ryuk and Conti ransomware families, experts noticed similarities between Diavol and Conti threats. Unlike Conti, Diavol doesn’t avoid infecting Russian victims.
At the beginning of June, FortiEDR detected and halted a ransomware attack against one of the customers of the security firm. The security firm detected two suspicious files, locker.exe and locker64.dll, that at the time were not found on VirusTotal. locker64.dll was detected as a Conti (v3) ransomware sample, while locker.exe appeared to be completely different and dubbed it Diavol.
Upon infecting the system, the ransomware drops a text ransom note in each folder and threatens victims to leak the stolen files in case they will not pay the ransom. However, Fortinet researchers that analyzed the malware discovered that ransomware operators have yet to implement data-stealing capabilities.
“According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities. Browsing to the URL led to us a website, seen in figures 2 and 3, from which we derived the name for the ransomware.” reads the analysis published by Fortinet.
The Diavol ransomware was compiled with Microsoft Visual C/C++ Compiler, it uses user-mode Asynchronous Procedure Calls (APCs) without symmetric encryption algorithm for encryption, which has worse performance compared to symmetric algorithms.
Upon execution, the malware starts checking for command line arguments to determine the path to scan first, and if encrypt local partitions or network shares.
The ransomware keeps its main routines in bitmap images that are stored in the PE resource section, with a total of 14 routines identified, including one that instructs Diavol to stop services and processes and another to delete shadow copies.
“Currently, the source of the intrusion is unknown. The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to.” concludes the report. As the attack progressed, we found more Conti payloads named locker.exe in the network, strengthening the possibility the threat actor is indeed Wizard Spider. Despite a few similarities between Diavol, Conti, and other related ransomware, it’s still unclear, however, whether there’s a direct link between them. “
(SecurityAffairs – hacking, LinkedIn)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Wizard Spider, the cybercrime gang behind the TrickBot botnet, is believed to be the author of a new ransomware family dubbed Diavol, Fortinet researchers report.
Researchers from Fortinet reported that a new ransomware family, tracked as Diavol, might have been developed by Wizard Spider, the cybercrime gang behind the TrickBot botnet.
The Trickbot botnet was used by threat actors to spread the Ryuk and Conti ransomware families, experts noticed similarities between Diavol and Conti threats. Unlike Conti, Diavol doesn’t avoid infecting Russian victims.
At the beginning of June, FortiEDR detected and halted a ransomware attack against one of the customers of the security firm. The security firm detected two suspicious files, locker.exe and locker64.dll, that at the time were not found on VirusTotal. locker64.dll was detected as a Conti (v3) ransomware sample, while locker.exe appeared to be completely different and dubbed it Diavol.
Upon infecting the system, the ransomware drops a text ransom note in each folder and threatens victims to leak the stolen files in case they will not pay the ransom. However, Fortinet researchers that analyzed the malware discovered that ransomware operators have yet to implement data-stealing capabilities.
“According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities. Browsing to the URL led to us a website, seen in figures 2 and 3, from which we derived the name for the ransomware.” reads the analysis published by Fortinet.
The Diavol ransomware was compiled with Microsoft Visual C/C++ Compiler, it uses user-mode Asynchronous Procedure Calls (APCs) without symmetric encryption algorithm for encryption, which has worse performance compared to symmetric algorithms.
Upon execution, the malware starts checking for command line arguments to determine the path to scan first, and if encrypt local partitions or network shares.
The ransomware keeps its main routines in bitmap images that are stored in the PE resource section, with a total of 14 routines identified, including one that instructs Diavol to stop services and processes and another to delete shadow copies.
“Currently, the source of the intrusion is unknown. The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to.” concludes the report. As the attack progressed, we found more Conti payloads named locker.exe in the network, strengthening the possibility the threat actor is indeed Wizard Spider. Despite a few similarities between Diavol, Conti, and other related ransomware, it’s still unclear, however, whether there’s a direct link between them. “
(SecurityAffairs – hacking, LinkedIn)