Ransomware sample at IBM X- Force determines Diavol Ransomware is linked to TrickBot Gang. The samples of the ransomware suggest similarities to other malware used by the cybercrime gang.
Fortinet earlier in July witnessed an unsuccessful ransomware attack, where its customers were targeted via a Diavol payload. These payloads were source code that shows similarity with Conti and its technique of reusing some language from Egregor ransomware in its ransom note.
According to Fortinet, “As part of a rather unique encryption procedure, Diavol operates using user-mode Asynchronous Procedure Calls (APCs) without asymmetric encryption algorithm. Usually, ransomware authors aim to complete the encryption operation in the shortest amount of time. Asymmetric encryption algorithms are not the obvious choice as they [are] significantly slower than symmetric algorithms.”
When comparing the samples of Diavol compiled on March 5, 2020, submitted to VirusTotal on January 27, 2021, throws light on the malware development process. The source code is capable of terminating arbitrary processes and prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker.
Apart from this, the ransomware is capable of collecting during its initial execution. This can be used to generate a unique identifier. It is almost identical to the Bot ID generated by TrickBot malware, with only an addition of the Windows username field.
Further evidence is the fact that HTTP headers used for command-and-control (C2) communication are set to prefer Russian language content. This matches the languages used by the operators further linking them to it.
The other similarity between the two ransomware samples is the registration process. Here the victim’s machine uses the identifier created in the previous step to register itself with a remote server.
According to IBM Security’s Charlotte Hammond and Chris Caridi, “This registration to the botnet is nearly identical in both samples analyzed. The primary difference is the registration URL changing from https://[server_address]/bots/register to https://[server_address]/BnpOnspQwtjCA/register.”
The development sample has its file enumeration and encryption functions incomplete, unlike the fully functional variant. Instead of relying on asynchronous procedure calls, it directly encrypts files with the extension “.lock64” as they are encountered.
IMB also discovered another deviation where the original file is not deleted post encryption, thus obviating the need for a decryption key.
The code used for checking the language on the infected system to filter out victims in Russia or the Commonwealth of Independent States (CIS) region, also points at the Russian connection, a trick adopted by the TrickBot group.
Finally, the researchers said, “Collaboration between cybercrime groups, affiliate programs, and code reuse are all parts of a growing ransomware economy. The Diavol code is relatively new in the cybercrime area, and less infamous than Ryuk or Conti, but it likely shares ties to the same operators and blackhat coders behind the scenes.”