Trickbot cybercrime group linked to new Diavol ransomware

FortiGuard Labs security researchers have linked a new ransomware strain dubbed Diavol to Wizard Spider, the cybercrime group behind the Trickbot botnet.

Diavol and Conti ransomware payloads were deployed on different systems in a ransomware attack blocked by the company’s EDR solution in early June 2021.

The two ransomware families’ samples are cut from the same cloth, from the use of asynchronous I/O operations for file encryption queuing to using virtually identical command-line parameters for the same functionality (i.e., logging, drives and network shares encryption, network scanning).

However, despite all similarities, the researchers couldn’t find a direct link between Diavol ransomware and the Trickbot gang, with some significant differences making high confidence attribution impossible.

For instance, there are no built-in checks in Diavol ransomware preventing the payloads from running on Russian targets’ systems as Conti does.

There’s also no evidence of data exfiltration capabilities before encryption, a common tactic used by ransomware gangs for double extortion.

Full article

Scroll to Top