FortiGuard Labs security researchers have linked a new ransomware strain dubbed Diavol to Wizard Spider, the cybercrime group behind the Trickbot botnet.
Diavol and Conti ransomware payloads were deployed on different systems in a ransomware attack blocked by the company’s EDR solution in early June 2021.
The two ransomware families’ samples are cut from the same cloth, from the use of asynchronous I/O operations for file encryption queuing to using virtually identical command-line parameters for the same functionality (i.e., logging, drives and network shares encryption, network scanning).
However, despite all similarities, the researchers couldn’t find a direct link between Diavol ransomware and the Trickbot gang, with some significant differences making high confidence attribution impossible.
For instance, there are no built-in checks in Diavol ransomware preventing the payloads from running on Russian targets’ systems as Conti does.
There’s also no evidence of data exfiltration capabilities before encryption, a common tactic used by ransomware gangs for double extortion.