SpearTip: New Diavol Ransomware Does Steal Data

 

The Wizard Spider threat organization, which is behind the Trickbot botnet, has been connected to a new ransomware outbreak called Diavol, as per security experts. 

According to BleepingComputer, the ransomware families use almost similar command-line parameters for the same functionality and leverage the same I/O operations for file encryption queueing. 

Although there are some commonalities, as they've indicated and as SpearTip has confirmed, there are two key distinctions that make a direct link unlikely. By performing a location check, Diavol ransomware does not prevent its payloads from executing on Russian targets. This is significant since most malware avoids Russian systems. 

Data Exfiltration FortiGuard Labs explains in their analysis of Diavol that, “According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities.” 

Following additional analysis by SpearTip's engineers, the Diavol ransomware gang appears to be stealing data. Despite the lack of this capacity in the ransomware executable, the group employs techniques that allow for the exfiltration of data from a, particularly evasive environment. 

For Cobalt Strike, the Diavol ransomware gang utilizes an HTTP beacon, which appears to be used to assist data exfiltration. The beacon's name was sysr.dll, and it was kept in a folder made by the threat actors. This network connectivity, as well as the mechanism utilized by the beacon to inject into memory, are hard to trace. 

SpearTip has confirmed that the beacon had deleted files and exfiltrated them as well. SpearTip engineers acknowledged that the Diavol gang stole data and provided evidence of data exfiltrated from several organizations through threat actor interaction. When SpearTips's engineers looked into it, they discovered that the evasive Cobalt Strike’s HTTPS Beacon was utilized, which can be used to exfiltrate data. 

Over the past few years, the former Trickbot operators have been previously targeted by law enforcement actions, have proven resilient, and integrated themselves into different ransomware groups. It's not unexpected to see signs of their activities and tactics in another ransomware gang. When evaluating data exfiltration, it's critical to perform a thorough investigation and comprehend the growth of the group's techniques. These associations guarantee that forensic reporting is accurate.