Is the ‘TrickBot’ Gang Really Behind the ‘Diavol’ Ransomware Strain?

  • IBM has found several connections between the operator of TrickBot and the Diavol ransomware.
  • This assumption has been circulating for a month now as other researchers spotted similarities.
  • The new ransomware strain hasn’t had very active operations yet and appears to be still in testing.

In July 2021, researchers at Fortinet spotted a new ransomware family called ‘Diavol’ and conducted an initial analysis that revealed links with the actor known as ‘Wizard Spider’ as well as similarities with Conti. A month later, the IBM X-Force Threat Intelligence team is in a position to give us a deeper insight into the attribution, presenting evidence that connects the two.

‘Wizard Spider’ is a Russian actor and the main operator of the TrickBot banking malware (one of the most persistent, potent, and actively developed trojans in modern computing history) that has been around since 2016 and sustained highly disruptive coordinated attacks. As such, it wouldn’t be surprising to hear that the authors of TrickBot put in the effort into making a new ransomware strain of their own.

IBM’s analysts dug deep into the indicators of compromise, and whatever crumbs of evidence lay on the net and found out that the first testing sample dated all the way back on March 5, 2020. Of course, that was an early beta version, with the first actual detection tests taking place on VirusTotal on January 27, 2021.

As a ransomware, Diavol uses an RSA encryption key, features a configurable file type prioritization system, and can detect and terminate processes that threaten to put the encryption process at risk. The initial execution triggers a reconnaissance step during which a System/Bot ID is generated, following the exact same format as that used by TrickBot.

Another similarity between the two is the C2 communication configuration which is set to prefer Russian language content. The inexplicable absence of preliminary language checks that would exclude Russian victims is now explained as a case of the feature not being implemented in the analyzed samples or not being activated in the sampled versions. IBM’s analysts report that they have spotted the feature in unused strings, but for some reason, it isn’t deployed yet.

The characteristic file extension appended by ‘Diavol’ os “.lock64”, but the chances of seeing it live are slim as the project hasn’t taken off yet. To be on the safe side, establish and follow a solid backup plan, employ MFA wherever possible, and monitor your network logs frequently to spot the presence of actors before they have the chance to do any damage.

How to Watch The D’Amelio Show Season 2 Online From Anywhere
The D’Amelio family is back for Season 2 of The D’Amelio Show, a reality series that takes you into the world of...
How to Watch This England Online From Anywhere: Stream Sky’s New Boris Johnson Drama
A highly-anticipated drama that chronicles the story of Boris Johnson and his administration as they respond to the COVID-19 pandemic is going...
How to Watch The Real Housewives of Salt Lake City Season 3 Online From Anywhere
The Bravo reality series that was developed as the tenth installment of the Real Housewives franchise is back with a new season,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari