Is the ‘TrickBot’ Gang Really Behind the ‘Diavol’ Ransomware Strain?

• IBM has found several connections between the operator of TrickBot and the Diavol ransomware.
• This assumption has been circulating for a month now as other researchers spotted similarities.
• The new ransomware strain hasn’t had very active operations yet and appears to be still in testing.

In July 2021, researchers at Fortinet spotted a new ransomware family called ‘Diavol’ and conducted an initial analysis that revealed links with the actor known as ‘Wizard Spider’ as well as similarities with Conti. A month later, the IBM X-Force Threat Intelligence team is in a position to give us a deeper insight into the attribution, presenting evidence that connects the two.

‘Wizard Spider’ is a Russian actor and the main operator of the TrickBot banking malware (one of the most persistent, potent, and actively developed trojans in modern computing history) that has been around since 2016 and sustained highly disruptive coordinated attacks. As such, it wouldn’t be surprising to hear that the authors of TrickBot put in the effort into making a new ransomware strain of their own.

IBM’s analysts dug deep into the indicators of compromise, and whatever crumbs of evidence lay on the net and found out that the first testing sample dated all the way back on March 5, 2020. Of course, that was an early beta version, with the first actual detection tests taking place on VirusTotal on January 27, 2021.

As a ransomware, Diavol uses an RSA encryption key, features a configurable file type prioritization system, and can detect and terminate processes that threaten to put the encryption process at risk. The initial execution triggers a reconnaissance step during which a System/Bot ID is generated, following the exact same format as that used by TrickBot.

Another similarity between the two is the C2 communication configuration which is set to prefer Russian language content. The inexplicable absence of preliminary language checks that would exclude Russian victims is now explained as a case of the feature not being implemented in the analyzed samples or not being activated in the sampled versions. IBM’s analysts report that they have spotted the feature in unused strings, but for some reason, it isn’t deployed yet.

The characteristic file extension appended by ‘Diavol’ os “.lock64”, but the chances of seeing it live are slim as the project hasn’t taken off yet. To be on the safe side, establish and follow a solid backup plan, employ MFA wherever possible, and monitor your network logs frequently to spot the presence of actors before they have the chance to do any damage.