Security analysts provide proof of Diavol ransomware stealing data from infected systems. Earlier, a claim made by the Diavol gang of stealing data from the victim’s machine was considered a bluff according to the FortiGuard Labs’s researchers.

What was observed?

The recent report from SpearTip provides several insights about the Diavol ransomware including its involvement in stealing data.
  • The attackers behind Diavol were observed using Cobalt Strike’s HTTP beacon to facilitate the data exfiltration ability. 
  • This beacon is named sysr[.]dll that was stored in a folder created by the attackers, making the network communication difficult to detect. 
  • Another challenging technique deployed by actors includes how the beacon injects malware into the memory of compromised applications.
  • Researchers further confirmed that the Diavol ransomware group stole data by presenting a proof of data stolen from multiple organizations.

The earlier dilemma

Earlier, the Diavol group claimed that the malware has data-stealing capabilities, while the FortiGuard researchers found no such tool used by the group. 
  • The recent report provides insights that help address the confusion in FortiGuard's last report about Diavol’s data-stealing activity.
  • The fact is that the ransomware group did not include this capability in its executable package and rather leveraged tactics that enable the exfiltration of data from a particularly evasive environment.


The new Diavol group seems to be resilient and evasive in nature. Security professionals need to erect a robust security infrastructure to avoid any unpleasant surprises.

Cyware Publisher