Contents:
Back in July, cybersecurity specialists at Fortinet announced the emergence of a new ransomware group allegedly developed by the creators of the advanced Trojan TrickBot.
The new ransomware family is called Diavol and it is believed to have connections to the Wizard Spider threat actor as the researchers discovered a few similarities in the operation mode employed by the malware.
Wizard Spider is a Russia-based cybercrime group that uses Trickbot, Ryuk, and Conti ransomware as their primary tools. According to the Fortinet researchers, both Diavol and Conti ransomware gangs used the same command-line parameters for different functions such as logging, encryption, and network scanning.
It looks like Diavol and Conti ransomware payloads got deployed on different systems in a ransomware attack that was discovered and stopped back in June. The researchers noticed a couple of dubious files, locker.exe, and locker64.dll, that couldn’t be detected on VirusTotal.
File locker64.dll was recognized as a Conti (v3) ransomware sample, while locker.exe seemed to be entirely different and received the name Diavol.
The difference between Conti and Diavol is that the latter is also infecting Russia-based targets.
New Findings of the Diavol Ransomware and TrickBot Connection
The IBM X-Force recent report indicates that the ransomware sample shares similarities to other malware that has been linked to the TrickBot gang, showing an even stronger connection between the two threat actors (Diavol ransomware and TrickBot).
The sample analyzed by the IBM X-Force specialists is an old version of the ransomware that unlike the one examined by Fortinet seems to be a development variant meant to be used for testing.
The fact that the two variants have been compared helped the researchers as they managed to gain an accurate and deep understanding of the Diavol’s development process and of future versions of the ransomware.
The sample the IBM X-Force researchers studied was submitted to Virus Total on January 27, 2021, and has a reported compilation date of March 5, 2020.
The ransomware execution showed the analysts that Diavol gathers rudimentary system information such as username, Windows version, and network adapter features. Then, it generates a System or Bot ID with a format that is very similar to the one generated by TrickBot operation:
<hostname>-<username>_W<windows _version>.<guid>
TrickBot itself, along with the Anchor DNS malware that has been attributed to TrickBot, generates a Bot ID of an almost identical format to that used by the Diavol ransomware.
The reason why the target IDs matter is because they allow the malware developers to keep an eye on the successful outcome of numerous operations and inform the affiliates of it.
This is why these specific formatting and naming conventions could potentially point to the group responsible for the initial deployment.
Even More Similarities
According to the IBM researchers, the Diavol ransomware sample they have analyzed showed that the HTTP headers employed for command and control (C2) communication were “set to prefer Russian language content.”
As you have already imagined, the TrickBot developers also use the Russian language.
Another similarity between the two threats discovered by the experts is that Diavol also has the code to verify the language on the infected system in order to avert attacking Russia-based victims or the Commonwealth of Independent States (CIS) region.
Researchers did not find decisive proof in order to make a connection between Diavol ransomware and the TrickBot group but came across new indications showing that it might be a link.