A new analysis of the budding ransomware strain called Diavol shows a clearer connection with the infamous TrickBot gang and the evolution of the malware.
Cybersecurity researchers from IBM X-Force have disclosed details which shows that the ransomware sample shares similarities to other malware that has been attributed to the cybercrime gang.
In early July, Fortinet revealed specifics of an unsuccessful ransomware attack involving Diavol payload targeting one of its customers, highlighting the payload’s source code overlaps with that of Conti and its technique of reusing some language from Egregor ransomware in its ransom note.
Earlier the researchers said that as part of a rather unique encryption procedure, Diavol operates using user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm. Usually, ransomware authors aim to complete the encryption operation in the shortest amount of time. Asymmetric encryption algorithms are not the obvious choice as they are significantly slower than symmetric algorithms.
A latest assessment of an earlier sample of Diavol — compiled on March 5, 2020, and submitted to VirusTotal on January 27, 2021 — has revealed insights into the malware’s development process, with the source code capable of terminating arbitrary processes and prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker.
The initial execution of the ransomware leads to it collecting system information, which is used to generate a unique identifier that’s nearly identical to the Bot ID generated by TrickBot malware, except for the addition of the Windows username field.
Diavol’s links to TrickBot also come down to the fact that HTTP headers used for command-and-control (C2) communication are set to prefer Russian language content, which matches the language used by the operators.
Another similarity between the two ransomware samples concerns the registration process, where the victim machine uses the identifier created in the previous step to register itself with a remote server. This registration to the botnet is nearly identical in both samples analyzed.
However, the development sample has its file enumeration and encryption functions left unfinished, and it also directly encrypts files with the extension “.lock64” as they are encountered, instead of relying on asynchronous procedure calls. Also it is found that the original file is not deleted post encryption, thus removing the need for a decryption key.
It also uses a code for checking the language on the infected system to filter out victims in Russia or the Commonwealth of Independent States (CIS) region, which is a known tactic adopted by the TrickBot group.
The researchers concluded that collaboration between cybercrime groups, affiliate programs and code reuse are all parts of a growing ransomware economy. The Diavol code is relatively new in the cybercrime area, and less infamous than Ryuk or Conti, but it likely shares ties to the same operators and blackhat coders behind the scenes.