[MART] - Daily Diary #299 - Meet Diavol Ransomware

CTAS-MAT ctas-mat at appgate.com
Tue Jul 6 21:31:13 UTC 2021


Hello,
I hope everyone is doing well!

Below is the entry for today.

07/06/2021 - Diary entry #299:

First discovered this month, Diavol seems to be a new ransomware strain deployed by Trickbot, covered in our Daily Diaries #71. Diavol was found being deployed on the same network as Conti Ransomware, on different systems in the same attack. Diavol also use the RSA encryption algorithm, making it hard to recover the files without having the original private-key. Diavol command-line arguments are very similar to Conti, allowing an attacker to encrypt both local drives and network shares.

After encrypting the machine a ransom note is dropped with a .onion link for Diavol Unlocker. The ransom message also claims that data was downloaded in the attack, and will be posted online in case the ransom is not paid, following the double-extortion model employed by REvil and other ransomware gangs.

It's not clear yet if Diavol Ransomware is developed by the Russian APT group Wizard Spider. This group also develops Trickbot, BazaLoader, Ryuk Ransomware, and Conti Ransomware. Diavol might be the result of a partnership, in which the attackers are using Wizard Spider's malware to deploy their attacks.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210706/e599dded/attachment.html>


More information about the MART mailing list