Diavol Ransomware Appears to Have Connections with TrickBot
The FBI Formally Linked the Diavol Ransomware Operation to the TrickBot Group.
TrickBot is a distant descendent of the ZeuS banking Trojan, which first appeared in 2005, although it is most commonly associated with Dyre or Dyreza, which went down in 2015. TrickBot appeared in 2016, replicating parts of Dyre’s malware while preserving its banking credential harvesting and web inject architecture. TrickBot has evolved into a malware empire with a plethora of plugin modules, cryptomining and persistence capabilities, and a growing relationship with subsequent ransomware infestations.
It was back in July 2021 when researchers from FortiGuard Labs published an investigation of a new ransomware variant known as Diavol (Romanian for Devil), which was observed to be targeting corporate victims.
It was determined that there were certain similarities between the two ransomware variants when they were analyzed, such as the use of asynchronous I/O operations for file encryption queueing and the usage of almost identical command-line options for the same functionality.
Diavol Ransomware’s Connection to TrickBot Gang
FBI formally announced that they have linked the Diavol Ransomware operation to the TrickBot Gang in a new advisory sharing indicators of compromise seen in previous attacks.
The FBI first learned of Diavol ransomware in October 2021. Diavol is associated with developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan. Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. While ransom demands have ranged from $10,000 to $500,000, Diavol actors have been willing to engage victims in ransom negotiations and accept lower payments. The FBI has not yet observed Diavol leak victim data, despite ransom notes including threats to leak stolen information.
The FBI has since received ransom requests ranging from $10,000 to $500,000, with smaller sums accepted during ransom discussions.
As explained by BleepingComputer, these figures contrast sharply with the greater ransoms requested by other TrickBot-affiliated ransomware operations, such as Conti and Ryuk, which have typically demanded multi-million dollar ransoms.
The FBI alert offers multiple signs of compromise and mitigations for Diavol, making it a must-read for security professionals and Windows/network administrators alike.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
- Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization.
- Regularly back up data, password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Install and regularly update antivirus software on all hosts, and enable real time detection.
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind. Do not give all users administrative privileges
- Disable unused ports.
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
- Use multifactor authentication where possible.
- Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts
- Require administrator credentials to install software.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
Additionally, the FBI recommends all victims, regardless of whether they intend to pay a ransom, to alert law enforcement immediately following an assault in order to gather new IOCs for investigation reasons and law enforcement operations.
How Can Heimdal™ Help?
Ransomware is one of today’s most severe cyber threats and learning how to avoid it should be a top priority for any business concerned about the safety of its employees, clients, partners, assets, money, and business processes.
In the fight against ransomware, Heimdal Security provides its customers with an exceptional integrated cybersecurity suite that includes the Ransomware Encryption Protection module, which is universally compatible with any antivirus solution and is completely signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).