Security analysts provide proof of Diavol ransomware stealing data from infected systems. Earlier, a claim made by the Diavol gang of stealing data from the victim’s machine was considered a bluff according to the FortiGuard Labs’s researchers.
What was observed?
The recent report from SpearTip provides several insights about the Diavol ransomware including its involvement in stealing data.
The attackers behind Diavol were observed using Cobalt Strike’s HTTP beacon to facilitate the data exfiltration ability.
This beacon is named sysr[.]dll that was stored in a folder created by the attackers, making the network communication difficult to detect.
Another challenging technique deployed by actors includes how the beacon injects malware into the memory of compromised applications.
Researchers further confirmed that the Diavol ransomware group stole data by presenting a proof of data stolen from multiple organizations.
The earlier dilemma
Earlier, the Diavol group claimed that the malware has data-stealing capabilities, while the FortiGuard researchers found no such tool used by the group.
The recent report provides insights that help address the confusion in FortiGuard's last report about Diavol’s data-stealing activity.
The fact is that the ransomware group did not include this capability in its executable package and rather leveraged tactics that enable the exfiltration of data from a particularly evasive environment.
The new Diavol group seems to be resilient and evasive in nature. Security professionals need to erect a robust security infrastructure to avoid any unpleasant surprises.