The cybercrime group behind the Trickbot botnet, Wizard Spider, has been linked to a new ransomware strain dubbed Diavol, according to FortiGuard Labs security analysts. In early June 2021, Diavol and Conti ransomware payloads were delivered on several systems in a ransomware attack prevented by the company’s EDR technology.
Wizard Spider is a financially motivated criminal group based in Russia that manages the Trickbot botnet, which is used to distribute second-stage malware to infected devices and networks. Because it spreads over corporate networks, Trickbot is especially hazardous to companies. If it gains administrative access to a domain controller, it will also steal the Active Directory database, allowing the organization to harvest even more network credentials.
From the use of asynchronous I/O operations for file encryption queuing to the use of nearly identical command-line options for the same functionality, the two ransomware groups’ samples are cut from the same fabric (i.e., logging, drives and network shares encryption, network scanning). Despite the similarities, the researchers were unable to establish a clear relationship between Diavol ransomware and the Trickbot gang, due to some substantial variances that made attribution with high confidence impossible. For example, unlike Conti, Diavol ransomware has no built-in checks to prevent payloads from operating on Russian targets’ systems. There’s also no proof of data exfiltration capabilities before encryption, which is a classic ransomware extortion method.
The encryption mechanism used by Diavol ransomware is based on user-mode Asynchronous Procedure Calls (APCs) and an asymmetric encryption algorithm. This distinguishes it from other ransomware families, which frequently employ symmetric methods to accelerate the encryption process. Diavol doesn’t employ any obfuscation techniques, such as packing or anti-disassembly, but it nonetheless manages to obfuscate its essential routines by putting them in bitmap images.
When the ransomware executes on a compromised PC, it takes the code from the PE resource section of the pictures and inserts it into a buffer with execution permissions. Before the Diavol ransomware is finished, it will change the background of each encrypted Windows device to a black wallpaper with the following message: “All your files are encrypted! For more information see README-FOR-DECRYPT.txt.”
“Currently, the source of the intrusion is unknown,” Fortinet says. “The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to.”