New analysis of Diavol ransomware reinforces the link to TrickBot gang

Researchers conducted a new analysis of the Diavol ransomware and found new evidence of the link with the gang behind the TrickBot botnet.

In July, researchers from Fortinet reported that a new ransomware family, tracked as Diavol, might have been developed by Wizard Spider, the cybercrime gang behind the TrickBot botnet.

The Trickbot botnet was used by threat actors to spread the Ryuk and Conti ransomware families, experts noticed similarities between Diavol and Conti threats. Unlike Conti, Diavol doesn’t avoid infecting Russian victims.

At the beginning of June, FortiEDR detected and halted a ransomware attack against one of the customers of the security firm. The security firm detected two suspicious files, locker.exe and locker64.dll, that at the time were not found on VirusTotal. locker64.dll was detected as a Conti (v3) ransomware sample, while locker.exe appeared to be completely different and dubbed it Diavol.

Upon infecting the system, the ransomware drops a text ransom note in each folder and threatens victims to leak the stolen files in case they will not pay the ransom. However, Fortinet researchers that analyzed the malware discovered that ransomware operators have yet to implement data-stealing capabilities.

“According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities. Browsing to the URL led to us a website, seen in figures 2 and 3, from which we derived the name for the ransomware.” reads the analysis published by Fortinet.

The Diavol ransomware was compiled with Microsoft Visual C/C++ Compiler, it uses user-mode Asynchronous Procedure Calls (APCs) without symmetric encryption algorithm for encryption, which has worse performance compared to symmetric algorithms.

Now IBM X-Force researchers conducted a new analysis of an old variant of the threat that unlike the one analyzed by Fortinet experts appears to be a development version used for testing purposes.

The comparison of the two versions allowed the researchers to get insight into the development process of Diavol and of future versions of the malware.

The sample analyzed by IBM X-Force was submitted to Virus Total on January 27, 2021 and has a reported compilation date of March 5, 2020.

Upon executing the ransomware, it collects basic system information on the infected system such as Windows version and network adapter details. Then, the ransomware generates a System/Bot ID with the following format:

<hostname>-<username>_W<windows _version>.<guid>

For example:

DESKTOP-4LUGU5I-reuser_W10019041.C3F3799FE69249579857D2039BBBAB11

IBM researchers noticed that this format is almost identical to the Bot ID generated by TrickBot malware (i.e. Anchor DNS), except for the username field.

“TrickBot itself, along with the Anchor DNS malware that has been attributed to TrickBot, generates a Bot ID of an almost identical format to that used by the Diavol ransomware.” continues the analysis.

In the sample of Diavol ransomware analyzed by IBM, the HTTP headers used for C2 communication are set to prefer Russian language content, which is also the language used by TrickBot operators.

Experts also noticed that Diavol ransomware includes the code to check the language on the compromised system to avoid infecting victims in Russia or the Commonwealth of Independent States (CIS) region, the same behavior observed for the TrickBot gang.

IBM X-Force experts state that the Diavol ransomware is evolving, future variants could give the experts new clues to linke the malware to TrickBot.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]