Skip to content

S0659 Diavol

Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. Diavol has been deployed by Bazar and is thought to have potential ties to Wizard Spider.321

Item Value
ID S0659
Associated Names
Version 1.0
Created 12 November 2021
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Diavol has used HTTP GET and POST requests for C2.3
enterprise T1485 Data Destruction Diavol can delete specified files from a targeted system.3
enterprise T1486 Data Encrypted for Impact Diavol has encrypted files using an RSA key though the CryptEncrypt API and has appended filenames with “.lock64”. 3
enterprise T1491 Defacement -
enterprise T1491.001 Internal Defacement After encryption, Diavol will capture the desktop background window, set the background color to black, and change the desktop wallpaper to a newly created bitmap image with the text “All your files are encrypted! For more information see “README-FOR-DECRYPT.txt”.3
enterprise T1083 File and Directory Discovery Diavol has a command to traverse the files and directories in a given path.3
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Diavol can attempt to stop security software.3
enterprise T1105 Ingress Tool Transfer Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.3
enterprise T1490 Inhibit System Recovery Diavol can delete shadow copies using the IVssBackupComponents COM object to call the DeleteSnapshots method.3
enterprise T1106 Native API Diavol has used several API calls like GetLogicalDriveStrings, SleepEx, SystemParametersInfoAPI, CryptEncrypt, and others to execute parts of its attack.3
enterprise T1135 Network Share Discovery Diavol has a ENMDSKS command to enumerates available network shares.3
enterprise T1027 Obfuscated Files or Information Diavol has Base64 encoded the RSA public key used for encrypting files.3
enterprise T1027.003 Steganography Diavol has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques.3
enterprise T1057 Process Discovery Diavol has used CreateToolhelp32Snapshot, Process32First, and Process32Next API calls to enumerate the running processes in the system.3
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Diavol can spread throughout a network via SMB prior to encryption.3
enterprise T1018 Remote System Discovery Diavol can use the ARP table to find remote hosts to scan.3
enterprise T1489 Service Stop Diavol will terminate services using the Service Control Manager (SCM) API.3
enterprise T1082 System Information Discovery Diavol can collect the computer name and OS version from the system.3
enterprise T1016 System Network Configuration Discovery Diavol can enumerate victims’ local and external IPs when registering with C2.3
enterprise T1033 System Owner/User Discovery Diavol can collect the username from a compromised host.3