Security researchers from FortiGuard Lab have linked Diavol ransomware to the Wizard Spider threat actor. This cybercrime group is known for focusing on wire fraud in the past. Moreover, Diavol and Conti payloads were used in ransomware attacks targeting different systems in early June.
What's the update?
Diavol is relatively newer ransomware on the threat landscape and a recent report indicated a connection with Wizard Spider. It is a Russia-based financially motivated cybercrime group that operates Trickbot botnet.
Both Diavol and Conti ransomware families' samples use the same asynchronous I/O operations for file encryption queuing, along with virtually identical command-line parameters.
However, despite similarities, the researchers couldn't find a strong connection between Diavol and Wizard Spider. There are some notable differences that make strong attribution impossible.
There are no built-in checks in Diavol that stop the payloads from running on Russian targets' systems, as Conti does. Additionally, there is no evidence of data exfiltration abilities before encryption.
Diavol’s encryption uses user-mode Asynchronous Procedure Calls (APCs) with the asymmetric encryption algorithm. This makes it different from other ransomware families and speeds up the encryption process.
In addition, it lacks any type of obfuscation as it does not use packing or anti-disassembly methods. However, it makes analysis harder by storing its routine in bitmap images.
Upon execution, the ransomware extracts the code from the images' PE resource section and then loads it within a buffer with permissions to run.
The connection of ransomware to already established cybercrime groups shows how ransomware operations are constantly evolving. Therefore, there will be no surprise if more such established cybercrime groups join the list of ransomware operators in the coming months.