FBI Shares IoCs Associated with Diavol Ransomware Attacks

The Federal Bureau of Investigation (FBI) has issued a TLP:WHITE Flash Alert sharing indicators of compromise (IoCs) associated Diavol ransomware attacks and recommended mitigations.

Diavol ransomware is believed to be used by the operators of the TrickBot banking Trojan and botnet, who are also believed to operate Conti and Ryuk ransomware. The new ransomware family was first detected in July 2021 and came to the attention of the FBI in October 2021, and has since been used in multiple attacks worldwide.

Many of the ransomware variants used in attacks in the United States have involved double encryption, where sensitive files are exfiltrated before encryption and threats are issued to publish or sell the stolen data if the ransom is not paid. Organizations with deep pockets are often targeted and multi-million-dollar ransom demands are issued.

While victims of Diavol ransomware attacks are given ransom demands that include threats to leak data, the FBI says it is yet to observe any publication of stolen data, even though the TrickBot gang has set up a data leak site and published data stolen in their Conti ransomware attacks.

The ransom note dropped on the victims’ computer provides a URL that can be accessed using the Tor browser, where victims can make contact to discuss payment. The attackers are known to issue smaller ransom demands than with other ransomware attacks, with the demands ranging from $10,000 to $500,000. The FBI said the attackers seem willing to enter into negotiations with victims and accept smaller ransom payments.

Diavol ransomware can terminate processes and services and encrypts a pre-configured list of file extensions, appending the encrypted files with the .lock64 file extension.  The attacker defines the files that will be encrypted and can prioritize certain file types. The encryption process solely uses an RSA encryption key.

The FBI says the method used for generating unique identifiers for each victim device is almost identical to those used by the TrickBot Trojan and Anchor DNS malware, both of which are used by the TrickBot gang.

The FBI has provided a list of mitigations for hardening defenses and reducing the severity of a successful Diavol ransomware attack. While the FBI does not recommend paying the ransom, it is understood that there may not be an alternative for some victims. Regardless of whether the ransom is paid, the FBI encourages victims to get in touch with their local FBI field office and to provide as much information as possible about the attack, including boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news