Diavol Ransomware is Linked to Wizard Spider Cybercrime Group

The cybercrime group behind the Trickbot botnet, Wizard Spider, has been linked to a new ransomware strain dubbed Diavol, according to FortiGuard Labs security analysts. In early June 2021, Diavol and Conti ransomware payloads were delivered on several systems in a ransomware attack prevented by the company’s EDR technology. 

Wizard Spider is a financially motivated criminal group based in Russia that manages the Trickbot botnet, which is used to distribute second-stage malware to infected devices and networks. Because it spreads over corporate networks, Trickbot is especially hazardous to companies. If it gains administrative access to a domain controller, it will also steal the Active Directory database, allowing the organization to harvest even more network credentials.

From the use of asynchronous I/O operations for file encryption queuing to the use of nearly identical command-line options for the same functionality, the two ransomware groups’ samples are cut from the same fabric (i.e., logging, drives and network shares encryption, network scanning). Despite the similarities, the researchers were unable to establish a clear relationship between Diavol ransomware and the Trickbot gang, due to some substantial variances that made attribution with high confidence impossible. For example, unlike Conti, Diavol ransomware has no built-in checks to prevent payloads from operating on Russian targets’ systems. There’s also no proof of data exfiltration capabilities before encryption, which is a classic ransomware extortion method. 

The encryption mechanism used by Diavol ransomware is based on user-mode Asynchronous Procedure Calls (APCs) and an asymmetric encry

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: Diavol Ransomware is Linked to Wizard Spider Cybercrime Group