Diavol Ransomeware

The FBI is also formally linking the operation of Diavol Ransomeware, the malware software developer behind TrickBot Group, the infamous TrickBot banking trojan. The TrickBot Gang, aka the Wizard Spider, is also the developer of a malware infection that has plagued corporate networks for years, leading to Conti and Ryuk ransomware attacks, network intrusions, and even financial fraud or corporate espionage. Also known by the biggest name as TrickBot Gang, so is TrickBot Banking Trojan, but also behind the development of BazarBackdoor and Anchor backdoors. In July 2021, Fortigard Lab researchers also released an analysis of a new ransomware called Devol (Romanian for Devil), which was also seen targeting corporate victims. Researchers have seen the same ransomware attack in early June 2021 as the deployment of Divall and Conti ransomware payloads on the network.

After analyzing the two ransomware samples, similarities were also found Diavol Ransomeware, such as the use of asynchronous I / O operations in the file encryption queue and almost identical command-line parameters for the same functionality. At the time, there was not even enough evidence to formally link the two operations.
However, a month later, IBM X-Force researchers also established a strong link between the Devol ransomware and other TrickBot Gang’s malware, such as Anchor and TrickBot.
Today, the FBI has formally announced that they have linked the Devol ransomware operation to the TrickBot gang. “The FBI first received such information about Devol ransomware in October 2021. Diavol is affiliated with software developers in the Trickbot Group, which is responsible for the Trickbot Banking Trojan,” the FBI said in a new FBI Flash Advisory.

Since then, the FBI has seen ransom demands between $ 10,000 and $ 500,000, including low payments accepted after ransom negotiations. Therefore This amount is in stark contrast to the high ransom demanded by other ransomware operations linked to TrickBot, such as Conti and Ryuk, who have also historically demanded millions of dollars in ransom. For example, in April, the county ransomware operation also demanded $ 40 million from Florida’s Broward County School District and 14 million from chip maker Advantech. Even after the arrest of Latvian woman Alla Vitte, who was also involved in the development of ransomware for the malware gang, the FBI was able to formally link Devol to the Trickboat gang.
AdvIntel CEO Vitaly Kremez, who is tracking TrickBot operations, told BleepingComputer that Witte was also responsible for the development of the new TrickBot-linked ransomware. “As Ala Witte has played a key role in TrickBot operations, so have AdvIntel’s deepest rivals, based on insights. 0iavol was also responsible for the development of ransomware and the frontend/backend project, so it was also meant to support trickboat operations with ransomware in a specific context with bot back connectivity. Trickbot and Divewall, “Kremez told Blipping Computer in a conversation as well. “Another name for the Divoll ransomware was” Enigma “ransomware, as it was used by the TrickBot crew before the Divoll re-brand.” So even the FBI’s advice has a number of indicators of compromise and reduction for Dewall, as it makes it a must-read for all security professionals as well as Windows / Network administrators. It should be noted that the Devol ransomware originally created ransomware notes called ‘README_FOR_DECRYPT.txt’, as suggested by the FBI advisor, although BleepingComputer saw ransomware on ransomware notes called ‘Warning.txt’ in November. The FBI is also urging all victims who plan to pay a ransom, but can also use it for investigation and law enforcement operations, to collect such new IOCs as well as prompt law enforcement in attacks.
If you have been the victim of a Diavol attack, it is also important to notify the FBI before making a payment as there is a “Diavol ransomware can also provide a risk mitigation tool for those affected.”


RAM Research Center