Security researchers have linked a new ransomware strain called Diavol to the Wizard Spider threat group behind the Trickbot botnet. BleepingComputer noted the ransomware families utilize the same I/O operations for file encryption queueing and use nearly identical command-line parameters for the same functionality.
There may be some similarities, but as they’ve explained and SpearTip has validated, there are two interesting differences that make the direct connection improbable.
Diavol ransomware does not prevent their payloads from running on Russian targets by doing a locale check. This is notable because most ransomware will avoid Russian systems.
FortiGuard Labs explains in their analysis of Diavol that, “According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities.”
After SpearTip’s engineers conducted further investigations, the Diavol ransomware group does appear to be stealing data. Despite the absence of this capability in the ransomware executable, the group leverages tactics that enable the exfiltration of data from an environment that are particularly evasive.
The Diavol ransomware group uses an HTTP beacon for Cobalt Strike, which appears to be utilized to facilitate the data exfiltration. The beacon was named sysr.dll and was stored in a folder created by the threat actors. This network communication is exceptionally difficult to detect as well as the technique used by the beacon to inject into memory. It has been confirmed by SpearTip that the beacon had files removed and exfiltrated.
The image below shows the beacon running through a sandbox.
Through threat actor communication, SpearTip engineers confirmed that the Diavol group stole data and provided proof of data that was exfiltrated from several organizations. When our engineers investigated, we observed the utilization of the evasive Cobalt Strike’s HTTPS Beacon, which can be used to exfiltrate data.
The former Trickbot operators, previously target by law enforcement actions, have proven resilient and have integrated themselves into different ransomware groups over the past few years. Seeing traces of their activity and techniques within another ransomware group isn’t surprising. When assessing data exfiltration, it is always important to conduct a comprehensive investigation and to understand the evolution of the group tactics. These associations ensure accurate forensic reporting.
SpearTip’s Security Operations Center as a Service (SOCaaS) provides your organization with instant value as our certified engineers work 24/7/365 to protect your environment from constant threats. Working in tandem with our ShadowSpear® Platform, the SOCaaS can be integrated with businesses of any size, structure, or industry.
ShadowSpear blocks malicious ransomware executables before they can ever reach your environment and notifies our engineers so they can respond quickly to any intrusions. Being proactive is the best way to defend against cyber threats as they’re looking for any opportunity to infect your network and steal profit. Don’t let them. Call us, today.
If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.