Diavol Ransomware

By Mezo in Ransomware

Translate To:

The Diavol Ransomware is a newly detected ransomware threat that is not a part of any of the already established ransomware families. The threat was discovered by the infosec researchers at Fortinet and was deployed alongside a newer version of the Conti Ransomware. Diavol has a wide range of threatening capabilities and it exhibits some peculiar choices made by its creators.

Diavol Ransomware's Characteristics

Is not equipped with any anti-disassembly measures and is not packed. It does, however, employ an uncommon technique to obfuscate its code. The threat keeps its main routines inside bitmap images stored in the PE resource section. Wherever each routine is needed, the malware copies its bytes from the image and puts them in a global buffer that possesses execute permissions.

Once deployed on the targeted system, Diavol initiates its programming that goes through multiple subroutines, each tasked with performing a different activity. The first action of the ransomware is to generate a unique identifier for the compromised machine. Diavol also reaches out and establishes a connection with a Command-and-Control server via a POST request.

Afterward, the ransomware will attempt to maximize its reach, as well as the damage it can cause by terminating certain services and processes. The threat goes after programs that could potentially prevent it from encrypting valuable user files such as office applications, Web servers, virtual machines, financial and accounting software, databases, etc. During the implementation of these functions, however, the cybercriminals made several noticeable mistakes like mixing the function for terminating processes and the one for stopping services. Furthermore, the hardcoded list of targeted processes includes other items as well, such as 'winword.exe.' The process list is in similar disarray with only the last three entries appearing to be the names of legit processes, albeit one of them being spelled wrong.

The Encryption Process

The vast majority of ransomware threats employ symmetric encryption algorithms when it comes to locking the victim's files. The reason is quite simple - symmetric encryption is a lot faster leaving the target with less time to respond if the ransomware threat is detected. In a two-phase process, the hackers take the decryption key for the symmetric algorithm and run only it through an asymmetric algorithm that will create a public and a private key. The Diavol Ransomware, however, uses the RSA asymmetric algorithm for its entire encryption routine. It should be noted that Diavol generates text files carrying its ransom note in all folders regardless of whether they contain encrypted files or not. The text files are named 'README-FOR-DECRYPT.txt.'

The threat prevents users from potentially restoring their locked files via the default Windows features by deleting the Shadow Volume Copies. The final step performed by Diavol is to change the desktop of the compromised system. It creates a new image with a black background and the following message - All your files are encrypted! For more information see 'README-FOR-DECRYPT.txt.' The default desktop wallpaper is then substituted with the newly created image.

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

Diavol Ransomware

Submit Comment

Trending

Safe Search Eng

Findtheirreport.com

MarioLocker Ransomware

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen