Ransomware operators at times announce shutdown of their operations but continue with a new ransomware variant. Some attackers create new ransomware infusing capabilities from the old one. Recently security researchers from Fortinet discovered a new ransomware dubbed Diavol targeting organizations globally from June 2021. While Diavol is a new ransomware threat, the researchers claimed that it has a connection with Wizard Spider – a Russia-based cybercriminal group that operates Trickbot botnet.
How Diavol Spreads
Researchers stated that Diavol leveraged Asynchronous Procedure Calls (APCs) with a unique encryption procedure. The Diavol ransomware drops a ransom note in every folder it encrypts. While Diavol does not use any tactics to evade security detections, researchers found an anti-analysis technique used by the group to disguise its code.
Diavol Attack Flow
- Create ID on the targeted system
- Initialize configuration
- Initiate C&C communication
- Kill system processes
- Initialize encryption key
- Find drives
- Find files
- Prevent recovery
- Encrypt files
- Change desktop wallpaper
Similarities to Conti and Egregor Ransomware
The researchers also analyzed Diavol ransomware to find any similarities with Conti and Egregor ransomware. The command lines used by Diavol are somewhat similar to those of Conti ransomware. Besides, Conti and Diavol ransomware operate with synchronous I/O operations while encrypting the files. Researchers also suspected links with Egregor ransomware. However, attackers could have used these similarities on purpose to confuse the security experts.
“Currently, the source of the intrusion is unknown. The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators, which they are not yet fully accustomed to. As the attack progressed, we found more Conti payloads named locker.exe in the network, strengthening the possibility the threat actor is indeed Wizard Spider. Despite a few similarities between Diavol, Conti, and other related ransomware, it’s still unclear, however, whether there’s a direct link between them. And there are a couple of major differences from attacks previously attributed to Wizard Spider,” Fortinet said.