Contents:
Good news for victims of Diavol ransomware. Emsisoft, the well-known cybersecurity company, has just provided a free decryptor for this ransomware family linked to the TrickBot gang. Now victims can use this free decryption tool to recover their files without having to pay a ransom.
Free Decryptor for Diavol Ransomware Now Available
The free Diavol ransomware decryption tool can be downloaded from HERE. Besides, the following guide should be read for thorough instructions on how to use it. And of course, if you want to find out other free decryptors for other different ransomware strains you can always check out our comprehensive list of free ransomware decryption tools!
The experts from Emsisoft explained about the Diavol ransomware decryption tool that
The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data. (…) By default, the decryptor will pre-populate the locations to decrypt with the currently connected drives and network drives.
If the decrypted files are not similar to the original documents, this Diavol ransomware decryption program will maintain the files encrypted in the attack as a failsafe.
It also includes an option to “Allow partial decryption of large files,” which is required to partially recover some files that are larger than the pair of files provided for reassembling the encryption keys. This is necessary because, due to technical restrictions, the decryptor may be unable to recover such data.
What’s Different with Diavol Ransomware?
As BleepingComputer publication explains, Diavol’s encryption mechanism uses user-mode Asynchronous Procedure Calls (APCs) with an asymmetric encryption algorithm adding up to its particular nature as other ransomware families use symmetric algorithms to speed up the encryption process dramatically. Besides, Diavol has no obfuscation because it doesn’t utilize packing or anti-disassembly techniques, yet it still makes it difficult to decipher because its essential routines are stored in bitmap images.
Diavol will alter the backgrounds of encrypted Windows devices to a dark backdrop with an icon before the encryption process is completed, showing the “All your files are encrypted! For more information see README-FOR-DECRYPT.txt” message.
Diavol Ransomware Linked to TrickBot?
After detecting it delivered on multiple systems alongside Conti malware payloads in an assault prevented by the company’s EDR technology in early June 2021, FortiGuard Labs security analysts first linked this ransomware strain to the TrickBot gang (aka Wizard Spider).
The FBI formally tied it to the TrickBot cybercrime group following their report and, most likely, after the arrest of Alla Witte, who was involved in the ransomware development process for the malware gang.
The ransoms required by Diavol are in stark contrast to the colossal ransoms requested by other TrickBot-affiliated ransomware groups like Conti and Ryuk. As BleepingComputer further explains, for decryptors and not disclosing stolen material online, they have previously demanded multi-million dollar payments.
Diavol ransomware has been active since at least June 2021, but there are just a few dozen entries on the ID-Ransomware service.
How Can Heimdal™ Help?
Prevention is the best cybersecurity strategy that will protect your valuable assets in the first place. That is why your company needs efficient cybersecurity solutions like Heimdal Ransomware Encryption Protection which keeps ransomware encryption attempts away and thus protects you against data loss and data exfiltration.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.