Connect with us


FBI links Diavol ransomware to the TrickBot cybercrime group



The FBI has formally linked the Diavol ransomware operation to the TrickBot Group, the malware builders behind the infamous TrickBot banking trojan.

The TrickBot Gang, aka Wizard Spider, are the builders of malware infections which have performed havoc on company networks for years, generally resulting in Conti and Ryuk ransomware assaults, community infiltration, monetary fraud, and company espionage.

The TrickBot Gang is most identified for its namesake, the TrickBot banking trojan, however can be behind the event of the BazarBackdoor and Anchor backdoors.

Prior evaluation linked Diavol to TrickBot Group

In July 2021, researchers from FortiGuard Labs released an analysis of a new ransomware called Diavol (Romanian for Satan) that was seen concentrating on company victims.

The researchers noticed each Diavol and Conti ransomware payloads deployed on a community in the identical ransomware assault in early June 2021.

After analyzing the 2 ransomware samples, similarities have been found, comparable to their use of asynchronous I/O operations for file encryption queuing and nearly similar command-line parameters for a similar performance.

On the time, there was not sufficient proof to formally hyperlink the 2 operations.

Nevertheless, a month later, IBM X-Power researchers established a stronger connection between Diavol ransomware and different TrickBot Gang’s malware, comparable to Anchor and TrickBot.

FBI hyperlinks Diavol ransomware to TrickBot gang

In the present day, the FBI has formally introduced that they’ve linked the Diavol Ransomware operation to the TrickBot Gang in a brand new advisory sharing indicators of compromise seen in earlier assaults.

“The FBI first realized of Diavol ransomware in October 2021. Diavol is related to builders from the Trickbot Group, who’re chargeable for the Trickbot Banking Trojan,” the FBI states in a brand new FBI Flash advisory.

Since then, the FBI has seen ransom calls for ranging between $10,000 and $500,000, with decrease funds accepted after ransom negotiations.

Warning.txt ransom note from Diavol ransomware
Warning.txt ransom notice from Diavol ransomware

These quantities are in stark distinction to the upper ransoms demanded by different ransomware operations linked to TrickBot, comparable to Conti and Ryuk, who’ve traditionally requested for multi-million greenback ransoms.

For instance, in April, the Conti ransomware operation demanded $40 million from Florida’s Broward County College district and $14 million from chip maker Advantech.

The FBI was doubtless in a position to formally hyperlink Diavol to the TrickBot Gang after the arrest of Alla Witte, a Latvian lady concerned within the growth of ransomware for the malware gang.

Vitali Kremez, CEO of AdvIntel, who has been monitoring the TrickBot operations, instructed BleepingComputer that Witte was chargeable for the event of the brand new TrickBot-linked ransomware.

“Alla Witte performed a important function for the TrickBot operations and primarily based on the earlier AdvIntel deep adversarial perception she was chargeable for the event of the Diavol ransomware and frontend/backend undertaking meant to help TrickBot operations with the particular tailor-made ransomware with the bot backconnectivity between TrickBot and Diavol,” Kremez instructed BleepingComputer in a dialog.

“One other title for the Diavol ransomware was known as “Enigma” ransomware leveraged by the TrickBot crew earlier than the Diavol re-brand.”

The FBI’s advisory incorporates quite a few indicators of compromise and mitigations for Diavol, making it a vital learn for all safety professionals and Home windows/community directors.

It must be famous that the Diavol ransomware initially created ransom notes named ‘README_FOR_DECRYPT.txt’ as identified by the FBI advisory, however BleepingComputer has seen the ransomware gang change in November to ransom notes named ‘Warning.txt.’

The FBI additionally urges all victims, no matter whether or not they plan to pay a ransom, to promptly notify regulation enforcement of assaults to gather contemporary IOCs that they will use for investigative functions and regulation enforcement operations.

If you’re affected by a Diavol assault, it’s also essential to inform the FBI earlier than paying as they “could possibly present risk mitigation assets to these impacted by Diavol ransomware.”

Copyright © 2022