Diavol

Description

Diavol is a ransomware strain first observed in June 2021, associated with the Wizard Spider threat group—best known for operating the TrickBot malware and the Conti ransomware. It uses a double-extortion model, encrypting victim files and exfiltrating sensitive data for additional leverage. The ransomware is written in C and employs a multi-threaded encryption routine using the ChaCha20 algorithm with RSA-2048 to secure encryption keys. Early variants appended no custom extension to files, relying instead on changing file headers, but later versions began appending extensions. Initial access vectors include exploitation of vulnerable systems and the use of TrickBot or BazarLoader infections as staging points. Victims are directed to a Tor-based negotiation portal through ransom notes.

External Analysis
https://arcticwolf.com/resources/blog/karakurt-web
https://chuongdong.com/reverse%20engineering/2021/12/17/DiavolRansomware/
https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/
https://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922
https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648
https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/
https://thedfirreport.com/2021/12/13/diavol-ransomware/
https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/
https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/
https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/
https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/
https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider
https://www.ic3.gov/Media/News/2022/220120.pdf
https://www.scythe.io/library/adversary-emulation-diavol-ransomware-threatthursday
Urls
Screen
File servers
Screen
Chat servers
Screen
https://7ypnbv3snejqmgce4kbewwvym4cm5j6lkzf2hra2hyhtsvwjaxwipkyd.onion
Screen
Admin servers
Screen