S0659 Diavol
Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. Diavol has been deployed by Bazar and is thought to have potential ties to Wizard Spider.321
| Item | Value |
|---|---|
| ID | S0659 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 12 November 2021 |
| Last Modified | 15 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Diavol has used HTTP GET and POST requests for C2.3 |
| enterprise | T1485 | Data Destruction | Diavol can delete specified files from a targeted system.3 |
| enterprise | T1486 | Data Encrypted for Impact | Diavol has encrypted files using an RSA key though the CryptEncrypt API and has appended filenames with “.lock64”. 3 |
| enterprise | T1491 | Defacement | - |
| enterprise | T1491.001 | Internal Defacement | After encryption, Diavol will capture the desktop background window, set the background color to black, and change the desktop wallpaper to a newly created bitmap image with the text “All your files are encrypted! For more information see “README-FOR-DECRYPT.txt”.3 |
| enterprise | T1083 | File and Directory Discovery | Diavol has a command to traverse the files and directories in a given path.3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Diavol can attempt to stop security software.3 |
| enterprise | T1105 | Ingress Tool Transfer | Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.3 |
| enterprise | T1490 | Inhibit System Recovery | Diavol can delete shadow copies using the IVssBackupComponents COM object to call the DeleteSnapshots method.3 |
| enterprise | T1106 | Native API | Diavol has used several API calls like GetLogicalDriveStrings, SleepEx, SystemParametersInfoAPI, CryptEncrypt, and others to execute parts of its attack.3 |
| enterprise | T1135 | Network Share Discovery | Diavol has a ENMDSKS command to enumerates available network shares.3 |
| enterprise | T1027 | Obfuscated Files or Information | Diavol has Base64 encoded the RSA public key used for encrypting files.3 |
| enterprise | T1027.003 | Steganography | Diavol has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques.3 |
| enterprise | T1057 | Process Discovery | Diavol has used CreateToolhelp32Snapshot, Process32First, and Process32Next API calls to enumerate the running processes in the system.3 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Diavol can spread throughout a network via SMB prior to encryption.3 |
| enterprise | T1018 | Remote System Discovery | Diavol can use the ARP table to find remote hosts to scan.3 |
| enterprise | T1489 | Service Stop | Diavol will terminate services using the Service Control Manager (SCM) API.3 |
| enterprise | T1082 | System Information Discovery | Diavol can collect the computer name and OS version from the system.3 |
| enterprise | T1016 | System Network Configuration Discovery | Diavol can enumerate victims’ local and external IPs when registering with C2.3 |
| enterprise | T1033 | System Owner/User Discovery | Diavol can collect the username from a compromised host.3 |
References
-
DFIR Report. (2021, December 13). Diavol Ransomware. Retrieved March 9, 2022. ↩
-
FBI. (2022, January 19). Indicators of Compromise Associated with Diavol. Retrieved March 9, 2022. ↩
-
Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩