Researchers launched a new investigation into the Diavol ransomware and discovered some intriguing information

Aug 23, 2021 14:04 GMT  ·  By

IBM X-Force published the specifics of an early variant of an emerging ransomware strain dubbed Diavol, according to Security Intelligence.

Several months ago, Fortinet discovered an unsuccessful ransomware attempt employing the Diavol payload that was targeting a client of the firm. When the experts from the security business investigated the incident, they discovered a ransomware strain that was capable of launching successful attacks. However, IBM's security specialists disagree, stating that the malware is still in the early stages of development and that it was built solely for the purpose of research and development.

The Diavol ransomware sample uses RSA encryption, an algorithm that can prioritize the file types to be locked depending on a group of extensions defined by the attacker. To increase the chances of successfully locking the file, Diavol can terminate processes and services.

The first phase of the attack is to determine basic system information such as the network adapter and Windows version. To successfully execute the attack, a hard-coded command-and-control (C2) address is used to force registration of the target system in the previous phase, using a bot ID and a group ID.

The assessed IBM X-Force development example is hard-coded and stored in the file PE, not in the .data section of the later active version. The file ends with a list of numbers indicating the offset elements and the total size of the configuration section read and used by the malware.

Security experts suggest the following advice for defending against ransomware attacks: 

  • Set a plan to avoid unwanted data theft, especially when transferring large files to legitimate cloud storage sites
  • Secure or disable remote desktop protocol (RDP) access with multifactor authentication at all remote access points in an enterprise network. Several ransomware attacks have used poor RDP connections to gain initial network access
  • Analyze user activity to detect security threats. Assume that a security breach has occurred and perform auditing and monitoring to quickly respond to privileged account and group abuse
  • Create and retain offline backups. Ensure backups are stored outside of network zones that attackers can only read. Effective backups can help organizations differentiate and recover from ransomware attacks