Understanding Diavol – Ransomware Used By Wizard Spider

FortiGuard Labs is a threat intelligence and research organization at Fortinet. It is comprised of experienced threat hunters, researchers, analysts, engineers, and data scientists. Its mission is to provide customers with the industry’s best threat intelligence to protect them from malicious cyberattacks. The researchers at FortiGuard Labs have discovered a new ransomware called Diavol. And they suspect Wizard Spider, the cybercrime group to be behind it, this was also the group that was behind the Trickbot botnet.

Upon analysis, it was found that there was another ransomware that possessed similar properties like both used asynchronous I/O operations for file encryption, using virtually identical command-line parameters for the same functionality i.e. logging, drives, and network shares encryption, network scanning. However, no direct link could be established.

There’s also no evidence of data exfiltration capabilities before encryption in the case of Diavol Ransomware, a common tactic used by ransomware gangs for double extortion.


The major difference between Diavol and other ransomware is that Diavol uses user-mode Asynchronous Procedure Calls (APCs) with an asymmetric encryption algorithm. This sets it apart from other ransomware families as they commonly use symmetric algorithms to significantly speed up the encryption process.

Diavol also lacks any obfuscation as it doesn’t use packing or anti-disassembly tricks, but it still manages to make analysis harder by storing its main routines within bitmap images.

When executing on a compromised machine, the ransomware extracts the code from the images’ PE resource section and loads it within a buffer with execution permissions.

The code extracts amounts to 14 different routines that will execute in the following order:

  • Create an identifier for the victim
  • Initialize configuration
  • Register with the C&C server and update the configuration
  • Stop services and processes
  • Initialize encryption key
  • Find all drives to encrypt
  • Find files to encrypt
  • Prevent recovery by deleting shadow copies
  • Encryption
  • Change the desktop wallpaper
Diavol ransomware | Cybervie

Just before the completion of Diavol ransomware, it changes each encrypted Windows device’s background to a black wallpaper with the following message: “All your files are encrypted! For more information see README-FOR-DECRYPT.txt”.

Diavol Ransomware | Cybervie

Fortinet’s Insight

Diavol Ransomware information | Cybervie

According to the note, the authors claim they stole data from the victim’s machine, though the researchers did not find a sample that was capable of performing that. This was either a bluff or a placeholder for future capabilities. Browsing to the URL led to us a website, seen in figures 2 and 3, from which we derived the name for the ransomware.

Decrypting Ransomware | Cybervie

Although the Fortinet researchers suspect it to be an activity of Wizard Spider Group, no confirmations have been given as to what the source of the intrusion is. Fortinet says “The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to.”

Also “As the attack progressed, we found more Conti payloads named locker.exe in the network, strengthening the possibility the threat actor is indeed Wizard Spider. Despite a few similarities between Diavol, Conti, and other related ransomware, it’s still unclear, however, whether there’s a direct link between them. And, there are a couple of major differences from attacks previously attributed to Wizard Spider & Co., namely:

– No checks and balances to ensure the payload will not execute on Russian victims.
– No clear evidence of double extortion in the environment was found.”

Trickbot impact on Enterprise

The Trickbot botnet as mentioned earlier is operated by the Russian-based financially motivated cybercrime group called Wizard Spider. The botnet is used to drop second-stage malware on compromised systems and networks.

Trickbot has some serious impacts on enterprises since it propagates through corporate networks. If it gets admin access to a domain controller, it tends to steal the Active Directory database to collect even more network credentials the group can use to make their job easier.

Although Microsoft and several partners announced the takedown of some Trickbot C2s after the US Cyber Command also reportedly tried to cripple the botnet, TrickBot is still active, with the group still releasing new malware builds.

The TrickBot gang’s operations entered a higher gear during the summer of 2018 when they started targeting corporate networks using Ryuk ransomware and again in 2020 after switching to Conti ransomware.

The developers of Trickbot have also started deploying the stealthy BazarLoader backdoor in attacks in April 2020, a tool designed to help them compromise and gain full access to corporate networks before deploying the ransomware payloads.

References: https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider

Share the Post...

About Cybervie

Cybervie provides best cyber security training program in hyderabad, India.This cyber security course enables you to detect vulnerablities of a system, wardoff attacks and manage emergency situations. Taking a proactive approach to security that can help organisations to protect their data, Cybervie has designed its training module based on the cyber security industry requirements with three levels of training in both offensive and defensive manner, and use real time scenarios which can help our students to understand the market up-to its standard certification which is an add on advantage for our students to stand out of competition in an cyber security interview.

More Info – Click Here

Recent Posts

Follow Us on Youtube

Cyber Security Training Program 2020

Cyber security Course offered by Cybervie prepares students for a path of success in a highly demanding and rapidly growing field of cyber security. The course is completely designed with an adaptable mindset, where the program allows the student to complete the course work at their own pace while being able to complete weekly assignments. Hence, also making it convenient for busy working professionals to pursue the training to help them advance their career in cyber security.

Cybervie has designed the training module based on the cyber security industry requirements in both offensive and defensive manner, using real time scenarios which help our students to understand the market standards.

Sign up for our Newsletter

Interested in Cyber Security Training Program 2020 – Click Here

Open chat
Hello 👋
How can we help you?