The FBI has officially linked the Diavol ransomware operation to the TrickBot group, the malware developers behind the notorious TrickBot banking trojan.
The TrickBot gang, aka Wizard Spider, is the developer of malware infections that have wreaked havoc on corporate networks for years, typically resulting in Conti and Ryuk ransomware attacks, network infiltration, fraud finance and corporate espionage.
The TrickBot gang is best known for its namesake, the TrickBot banking trojan, but is also behind the development of the BazarBackdoor and Anchor backdoors.
In July 2021, researchers from FortiGuard Labs published an analysis of a new ransomware called Diavol (Romanian for Devil) that targeted victimized businesses.
Researchers saw Diavol and Conti ransomware payloads deployed on a network in the same ransomware attack in early June 2021.
After analyzing the two ransomware samples, similarities were discovered, such as their use of asynchronous I/O operations for file encryption spooling and nearly identical command line parameters for the same functionality.
At the time, there was insufficient evidence to formally link the two operations.
However, a month later, IBM X-Force researchers established a stronger link between Diavol ransomware and other TrickBot Gang malware, such as Anchor and TrickBot.
Today, the FBI officially announced that it has linked Operation Diavol Ransomware to the TrickBot Gang in a new advisory sharing indicators of compromise seen in previous attacks.
“The FBI first learned of the Diavol ransomware in October 2021. Diavol is associated with developers from the Trickbot Group, who are responsible for the Trickbot banking Trojan,” the FBI states in a new FBI Flash Notice.
Since then, the FBI has seen ransom demands between $10,000 and $500,000, with lower payments accepted after ransom negotiations.
These amounts stand in stark contrast to the higher ransoms demanded by other ransomware operations linked to TrickBot, such as Conti and Ryuk, which have historically demanded ransoms in the millions of dollars.
For example, in April, the Conti ransomware operation demanded $40 million from the Broward County school district in Florida and $14 million from the chipmaker Advantech.
The FBI was likely able to officially link Diavol to the TrickBot gang after the arrest of Alla Witte, a Latvian woman involved in developing ransomware for the malware gang.
Vitali Kremez, CEO of AdvIntel, which has tracked TrickBot’s operations, told BleepingComputer that Witte was responsible for the development of the new TrickBot-related ransomware.
“Alla Witte played a critical role in TrickBot’s operations and, based on AdvIntel’s deep conflicting knowledge, she was responsible for the development of the Diavol ransomware and the frontend/backend project to support TrickBot’s operations with the ransomware. specific tailor-made with the bot’s backconnectivity between TrickBot and Diavol,” Kremez told BleepingComputer in a chat.
“Another name for Diavol ransomware was called ‘Enigma’ ransomware operated by TrickBot team before Diavol rebranding.”
The FBI advisory contains numerous indicators of compromise and mitigation for Diavol, making it essential reading for all security professionals and Windows/network administrators.
It should be noted that the Diavol ransomware originally created ransom notes named “README_FOR_DECRYPT.txt”, as pointed out in the FBI notice, but BleepingComputer saw the ransomware gang move in November to notes ransomware named “Warning.txt”.
The FBI also urges all victims, whether or not they plan to pay a ransom, to promptly notify law enforcement of the attacks in order to collect new IOCs that they can use for investigation and investigation. law enforcement operations.
If you are affected by a Diavol attack, it is also important to notify the FBI before paying as they “may be able to provide threat mitigation resources to those affected by Diavol ransomware.”
- TrickBot malware operation shuts down, devs move to stealthier malware
- TrickBot malware operation shuts down, devs move to BazarBackdoor
- Conti ransomware gang takes over TrickBot malware operation
- Malware developer TrickBot extradited to US faces 60 years in prison
- Conti ransomware’s internal chats leaked after siding with Russia