The FBI has published a new advisory detailing the connection of Diavol ransomware with the Trickbot operators. Diavol ransomware was first observed targeting corporate victims in July 2021 and since then it has been operating discreetly.
The key witness
The connection was made after the arrest of a Latvian woman, who played a role in the development of ransomware for the Trickbot group.
She was responsible for the development of the Diavol ransomware and frontend/backend project to support TrickBot operations with connectivity between Diavol and TrickBot.
Detail from the investigation
The FBI first observed Diavol ransomware in October 2021.
The FBI noted that the ransomware group demands between $10,000 and $500,000 in ransom after attacks, which could be further lowered after ransom negotiations.
These amounts are opposite to the higher ransom demanded by other ransomware operations related to TrickBot, Conti, and Ryuk, known for demanding multi-million dollar ransoms.
Previous efforts of establishing the connection
In July 2021, researchers released an analysis of Diavol (Romanian for Devil) that was targeting corporate victims.
After analyzing, similarities were discovered in two ransomware samples, such as asynchronous I/O operations for file encryption queuing and identical command-line parameters for the same function.
In the same month, IBM X-Force established a stronger connection between Diavol and other malware of the TrickBot group, such as TrickBot and Anchor.
The recent connection between Diavol and TrickBot shows how threat groups are working together. Moreover, the advisory from the FBI includes various indicators of compromise and mitigations for Diavol. Organizations must follow the recommendations provided in it and leverage the IOCs to strengthen their security posture.