1. Home
  2. Software
  3. Diavol

Diavol

Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The Diavol Ransomware-as-a Service (RaaS) program is managed by Wizard Spider and it has been observed being deployed by Bazar.[1][2][3][4]

ID: S0659
Type: MALWARE
Platforms: Windows
Contributors: Massimiliano Romano, BT Security
Version: 2.0
Created: 12 November 2021
Last Modified: 04 December 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Diavol can attempt to stop security software.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

Diavol has used HTTP GET and POST requests for C2.[1]
Enterprise T1486 数据加密以实现影响

Diavol has encrypted files using an RSA key though the CryptEncrypt API and has appended filenames with ".lock64". [1]
Enterprise T1485 数据销毁

Diavol can delete specified files from a targeted system.[1]
Enterprise T1083 文件和目录发现

Diavol has a command to traverse the files and directories in a given path.[1]

Enterprise T1489 服务停止

Diavol will terminate services using the Service Control Manager (SCM) API.[1]

Enterprise T1106 本机API

Diavol has used several API calls like GetLogicalDriveStrings, SleepEx, SystemParametersInfoAPI, CryptEncrypt, and others to execute parts of its attack.[1]
Enterprise T1027 混淆文件或信息

Diavol has Base64 encoded the RSA public key used for encrypting files.[1]
.003 Steganography

Diavol has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques.[1]

Enterprise T1491 .001 篡改: Internal Defacement

After encryption, Diavol will capture the desktop background window, set the background color to black, and change the desktop wallpaper to a newly created bitmap image with the text "All your files are encrypted! For more information see "README-FOR-DECRYPT.txt".[1]
Enterprise T1082 系统信息发现

Diavol can collect the computer name and OS version from the system.[1]
Enterprise T1490 系统恢复抑制

Diavol can delete shadow copies using the IVssBackupComponents COM object to call the DeleteSnapshots method.[1]
Enterprise T1033 系统所有者/用户发现

Diavol can collect the username from a compromised host.[1]
Enterprise T1016 系统网络配置发现

Diavol can enumerate victims' local and external IPs when registering with C2.[1]
Enterprise T1135 网络共享发现

Diavol has a ENMDSKS command to enumerates available network shares.[1]

Enterprise T1105 输入工具传输

Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.[1]
Enterprise T1057 进程发现

Diavol has used CreateToolhelp32Snapshot, Process32First, and Process32Next API calls to enumerate the running processes in the system.[1]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

Diavol can spread throughout a network via SMB prior to encryption.[1]
Enterprise T1018 远程系统发现

Diavol can use the ARP table to find remote hosts to scan.[1]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[4]

References

  1. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  2. FBI. (2022, January 19). Indicators of Compromise Associated with Diavol. Retrieved March 9, 2022.
  1. DFIR Report. (2021, December 13). Diavol Ransomware. Retrieved March 9, 2022.
  2. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.