The Fortinet researchers’ report indicated that Wizard Spider, the threat actors behind the TrickBot botnet, might have developed new ransomware named ‘Diavol.’ According to observations, Diavol showed similarities with another ransomware Conti. However, the observed attacks lacked some tactics that were previously associated with Wizard Spider. In this article at The Hacker News, Ravie Laxmanan explains how Diavol ransomware steals data.
How Does It Infect a System?
Unlike Conti, Diavol does not avoid infecting Russian users. At the beginning of June, Fortinet researchers identified and terminated a ransomware attack against one of the security firm’s customers. The security firm detected locker.exe and locker64.dll as two suspicious files. The locker64.dll file was similar to Conti (v3) ransomware sample. On the other hand, the locker.exe was entirely different and was named ‘Diavol.’
Some of the significant functions carried out by Diavol include “registering the victim device with a remote server, terminating running processes, finding local drives and files in the system to encrypt, and preventing recovery by deleting shadow copies,” says Laxmanan. Then, the threat actors lock the files and change the desktop wallpaper with a ransom message.
The Technical Analysis
Complied with Microsoft Visual C/C++ Compiler, Diavol utilizes user-mode Asynchronous Procedure Calls (APCs) for file encryption. The process is much slower than symmetric algorithms. However, once executed, the malware starts checking for specific files or folders. The malware then encrypts the local partitions or network shares.
Diavol and Conti use nearly identical command-line parameters and the same functionality. Furthermore, both operate with asynchronous I/O operations when queuing files for encryption. These similarities suggest a close connection between Diavol and Conti.
According to Fortinet researchers, the source of the intrusion is unknown. The errors in the hardcoded configuration and other parameters used by the attackers indicate that Diavol is a new tool that attackers are not yet fully accustomed to.
To read the original article, click on https://thehackernews.com/2021/07/trickbot-botnet-found-deploying-new.html.