The Federal Bureau of Investigations (FBI) has detailed evidence connecting the new Diavol ransomware to TrickBot Group, the prolific gang behind the eponymous banking trojan.
Diavol hit researchers’ radars in mid-2021 when Fortinet published a technical analysis of Diavol that established some links to Wizard Spider, another name for Trickbot Group, which researchers have also been tracking in connection with the “double extortion” Ryuk ransomware.
Trickbot’s tools include the Anchor_DNS backdoor, a tool for transmitting data between victim machines and Trickbot-controlled servers using Domain Name System (DNS) tunneling to hide malicious traffic with normal DNS traffic.
The FBI has been on to Diavol since October. Its link between Diavol and Trickbot is that the unique bot identifier (Bot ID) generated by Diavol for each victim is “nearly identical” to the format used by Trickbot and Anchor_DNS malware. Once the Bot ID is generated by Diavol, files on that machine are encrypted and appended with the “.lock64” file extension and the machine displays the ransom message.
“Diavol is associated with developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan,” the FBI said in a new flash note, warning that it has seen extortion demands up to $500,000.
Unlike Ryuk, the FBI has not seen Diavol leak victim data, despite the group’s message containing a threat to do so. Diavol’s ransom note states:
“Take into consideration that we have also downloaded data from your network
That In case of not making payment will be published on our news website.”
“Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker,” the FBI said.
“While ransom demands have ranged from $10,000 to $500,000, Diavol actors have been willing to engage victims in ransom negotiations and accept lower payments.”
Although the FBI acknowledges some victims have negotiated down ransoms with Diavol actors, it still discourages agreements since it doesn’t guarantee files will be recovered and advises against payment because it might embolden the attackers and fund future attacks.
On the other hand, the FBI expresses sympathy for victims that do negotiate with attackers.
“The FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers. The FBI may be able to provide threat mitigation resources to those impacted by Diavol ransomware,” it said.
The FBI is also calling on victim organizations to share with it “boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.”
But providing mitigation resources is different to helping recover paid funds. In Colonial Pipeline’s case, the FBI and Justice Department recovered about half of the extorted funds by using the Bitcoin public ledger to trace the payments back to “a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.”
But not every victim organization is a critical infrastructure provider that attracts the attention of the White House, which has since called on the Kremlin to take action against ransomware attacks located in Russia. Russian authorities last week conducted a rare raid against members of REvil, which has links to DarkSide.