Emsisoft releases free decryptor for the victims of the Diavol ransomware

Cybersecurity firm Emsisoft released a free decryptor that allows the victims of the Diavol ransomware to recover their files without paying a ransom.

Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files without paying a ransom.

In January, the FBI officially linked the Diavol ransomware operation to the infamous TrickBot gang, the group that is behind the TrickBot banking trojan.

TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features. Operators continue to offer the botnet through a multi-purpose malware-as-a-service (MaaS) model. Threat actors leverage the botnet to distribute a broad range of malware including info-stealer and ransomware such as Conti and Ryuk. To date, the Trickbot botnet has already infected more than a million computers.

The TrickBot Gang is also behind the development of the BazarBackdoor and Anchor backdoors.

In July, researchers from Fortinet first spotted the new ransomware family, tracked as Diavol, and speculated it might have been developed by Wizard Spider, the cybercrime gang behind the TrickBot botnet.

Fortinet experts noticed similarities between Diavol and Conti threats, but unlike Conti, Diavol doesn’t avoid infecting Russian victims.

In August 2021, IBM X-Force researchers conducted a new analysis of an old variant of the threat that unlike the one analyzed by Fortinet experts appears to be a development version used for testing purposes.

The comparison of the two versions allowed the researchers to get insight into the development process of Diavol and of future versions of the malware.

The analysis conducted by IBM X-Force researchers reinforced the link between Diavol ransomware and the TrickBot malware.

The free decryptor for the Diavol ransomware released by Emsisoft can be downloaded here, the company also released a guide for the tool.

“The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted
version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data.
This file must be roughly 20KB or larger in size. Please do not change the file names of the original and
encrypted files, as the decryptor may perform file name comparisons to determine the correct file
extension used for encrypted files on your system.” reads the guide for the decryptor.

Experts pointed out that the decryptor can’t guarantee that the decrypted data is identical to the one that was previously encrypted because the ransomware does not save any information about the unencrypted files.

Experts warn that due to technical limitations, this decryptor may not be able to decrypt files larger than the file pair you provided.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Diavol ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]