Cybersecurity researchers have disclosed particulars about an early growth model of a nascent ransomware pressure known as Diavol that has been linked to menace actors behind the notorious TrickBot syndicate.
The most recent findings from IBM X-Drive present that the ransomware pattern shares similarities to different malware that has been attributed to the cybercrime gang, thus establishing a clearer connection between the 2.
In early July, Fortinet revealed specifics of an unsuccessful ransomware assault involving Diavol payload concentrating on one among its prospects, highlighting the payload’s supply code overlaps with that of Conti and its strategy of reusing some language from Egregor ransomware in its ransom notice.
“As a part of a relatively distinctive encryption process, Diavol operates utilizing user-mode Asynchronous Process Calls (APCs) with no symmetric encryption algorithm,” Fortinet researchers beforehand mentioned. “Normally, ransomware authors goal to finish the encryption operation within the shortest period of time. Uneven encryption algorithms will not be the apparent alternative as they [are] considerably slower than symmetric algorithms.”
Now an evaluation of an earlier pattern of Diavol — compiled on March 5, 2020, and submitted to VirusTotal on January 27, 2021 — has revealed insights into the malware’s growth course of, with the supply code able to terminating arbitrary processes and prioritizing file varieties to encrypt based mostly on a pre-configured checklist of extensions outlined by the attacker.
What’s extra, the preliminary execution of the ransomware results in it gathering system info, which is used to generate a singular identifier that is almost similar to the Bot ID generated by TrickBot malware, apart from the addition of the Home windows username discipline.
Diavol’s hyperlinks to TrickBot additionally boil right down to the truth that HTTP headers used for command-and-control (C2) communication are set to want Russian language content material, which matches the language utilized by the operators.
Some extent of similarity between the 2 ransomware samples issues the registration course of, the place the sufferer machine makes use of the identifier created within the earlier step to register itself with a distant server. “This registration to the botnet is sort of similar in each samples analyzed,” IBM Safety’s Charlotte Hammond and Chris Caridi mentioned. “The first distinction is the registration URL altering from https://[server_address]/bots/register to https://[server_address]/BnpOnspQwtjCA/register.”
However not like the absolutely purposeful variant, the event pattern not solely has its file enumeration and encryption capabilities left unfinished, it additionally straight encrypts information with the extension “.lock64” as they’re encountered, as a substitute of counting on asynchronous process calls. A second deviation detected by IBM is that the unique file shouldn’t be deleted put up encryption, thus obviating the necessity for a decryption key.
One other clue tying the malware to the Russian menace actors is the code for checking the language on the contaminated system to filter out victims in Russia or the Commonwealth of Impartial States (CIS) area, a identified tactic adopted by the TrickBot group.
“Collaboration between cybercrime teams, affiliate packages and code reuse are all elements of a rising ransomware economic system,” the researchers mentioned. “The Diavol code is comparatively new within the cybercrime space, and fewer notorious than Ryuk or Conti, but it surely doubtless shares ties to the identical operators and blackhat coders behind the scenes.”