14 DAY TRIAL // The newest Diavol ransomware outbreak, according to FortiGuard analysts, is linked to the Wizard Spider cybercriminal gang, a group that has been involved in wire fraud in the past. Furthermore, the Diavol and Conti payloads were used in ransomware attacks that took place in early June against a variety of target devices, according to Cyware.
The payload encrypts the data via Asynchronous Procedure Calls (APCs) encryption type and an asymmetric encryption method. This architecture distinguishes itself by enabling a more rapid encrypting method than other types of malware.
The modus operandi entails retrieving the source code from the image PE resource section. The malware is run in a buffer with various permissions.Since it doesn't rely on packing or anti-disassembly methods, it lacks any type of obfuscation and instead it stores its procedure in bitmap images.
What is the most recent development in the Diavol ransomware?
Unlike Conti, Diavol does not have designed any pre-defined checks to prohibit payloads from being executed on Russian targets' devices, nor does it do data exfiltration before encryption. Then again, based on the analysis done on the ransomware samples, it seems both asynchronous I/O operations for file encryption queuing and have identical command-line inputs.
On the other hand, based on this information alone is it hard to state that there is a solid link between the Wizard spider and Diavol. Both of them were used in different cyberattacks earlier June, but focused on different targets.
Due to the fact that ransomware is associated with established cybercriminal gangs, it is clear that ransomware operations are never static and that they are always evolving day after day and attack after attack. The ransomsware field is getting better and hence, we shouldn't be surprised if other cybercrime organizations get involved with ransomware in the near future.