Cybersecurity researchers have disclosed particulars about an early growth model of a nascent ransomware pressure referred to as Diavol that has been linked to risk actors behind the notorious TrickBot syndicate.
The newest findings from IBM X-Drive present that the ransomware pattern shares similarities to different malware that has been attributed to the cybercrime gang, thus establishing a clearer connection between the 2.
In early July, Fortinet revealed specifics of an unsuccessful ransomware assault involving Diavol payload focusing on considered one of its prospects, highlighting the payload’s supply code overlaps with that of Conti and its strategy of reusing some language from Egregor ransomware in its ransom be aware.
“As a part of a relatively distinctive encryption process, Diavol operates utilizing user-mode Asynchronous Process Calls (APCs) with no symmetric encryption algorithm,” Fortinet researchers beforehand mentioned. “Normally, ransomware authors purpose to finish the encryption operation within the shortest period of time. Uneven encryption algorithms usually are not the plain alternative as they [are] considerably slower than symmetric algorithms.”
Now an evaluation of an earlier pattern of Diavol — compiled on March 5, 2020, and submitted to VirusTotal on January 27, 2021 — has revealed insights into the malware’s growth course of, with the supply code able to terminating arbitrary processes and prioritizing file varieties to encrypt based mostly on a pre-configured record of extensions outlined by the attacker.
What’s extra, the preliminary execution of the ransomware results in it amassing system info, which is used to generate a singular identifier that is practically equivalent to the Bot ID generated by TrickBot malware, aside from the addition of the Home windows username discipline.
Diavol’s hyperlinks to TrickBot additionally boil all the way down to the truth that HTTP headers used for command-and-control (C2) communication are set to favor Russian language content material, which matches the language utilized by the operators.
Some extent of similarity between the 2 ransomware samples issues the registration course of, the place the sufferer machine makes use of the identifier created within the earlier step to register itself with a distant server. “This registration to the botnet is almost equivalent in each samples analyzed,” IBM Safety’s Charlotte Hammond and Chris Caridi mentioned. “The first distinction is the registration URL altering from https://[server_address]/bots/register to https://[server_address]/BnpOnspQwtjCA/register.”
However in contrast to the absolutely useful variant, the event pattern not solely has its file enumeration and encryption capabilities left unfinished, it additionally immediately encrypts information with the extension “.lock64” as they’re encountered, as a substitute of counting on asynchronous process calls. A second deviation detected by IBM is that the unique file just isn’t deleted publish encryption, thus obviating the necessity for a decryption key.
One other clue tying the malware to the Russian risk actors is the code for checking the language on the contaminated system to filter out victims in Russia or the Commonwealth of Impartial States (CIS) area, a recognized tactic adopted by the TrickBot group.
“Collaboration between cybercrime teams, affiliate applications and code reuse are all elements of a rising ransomware economic system,” the researchers mentioned. “The Diavol code is comparatively new within the cybercrime space, and fewer notorious than Ryuk or Conti, nevertheless it seemingly shares ties to the identical operators and blackhat coders behind the scenes.”