Monday, June 16, 2025
HomeRansomwareNewly Uncovered Diavol Ransomware Sample Possibly Link to The Infamous TrickBot Group

Newly Uncovered Diavol Ransomware Sample Possibly Link to The Infamous TrickBot Group

Published on

SIEM as a Service

Follow Us on Google News

Researchers uncovered a new ransomware strain “Diavol” that has possibly been linked with the most wanted infamous TrickBot hackers group.

TrickBot made it’s name as one of the top banking Trojans in the wild and attacked a wide variety of international banks and other organizations using malicious web injects.

At current cybersecurity trends, Ransomware is a major concern and frequently hitting the organization and individual around the globe.

- Advertisement - Google News

The currently uncovered Diavol ransomware sample by IBM X-Force is unfamiliar than the already existed sample that was identified by Fortinet.

But this is unlike the Fortinet sample that was fully functional weaponized and directly utilize by the attacker, but this is looked like a development version of Diavol.

Researchers analyzed the code, and it raises a flag that it has a traces configuration that is liked by the TrickBot group.

When differentiating both samples, it indicates that both have been compiled in different time periods ( Development sample – Compiled March 5, 2020), (Active Sample – Compiled April 30, 2021).

We have seen in recent days that collaboration between cybercrime groups and sharing the source code in-between the threat groups are all parts of a growing ransomware economy.

Technical Analysis & Infection Process

In-depth analysis of the identified sample reveals that the attackers using an RSA encryption key to encrypt the victim’s files.

Before starts its execution process, it collects the basic information about the targetted system such as the windows version and network adaptor details.

Soon after it attempts to communicate with the command and control server controlled by the attacker, and register the victim’s machine with a pre-configured Group ID and the Bot ID that was created in the previous step.

X-Force researchers analyzed the sample and found the hardcoded configuration from the portable executable (PE) file overlay rather than in the .data section used by the newer active version.

Also, the configuration elements contain the collection of elements similar to the active sample feature as follows:-

  • C2 IP address
  • Group ID
  • Base64 encoded RSA public key
  • List of process names to terminate
  • List of service names to terminate
  • A list of files to avoid encrypting
  • A list of files to encrypt
  • A list of files to wipe
  • A list of priority files to encrypt first
  • Ransomware text

Before starting the encryption process, the Ransowmare terminate the processes and services on the infected device.

According to the report “In the development sample, the code for the file enumeration and encryption functions is clearly unfinished. The file enumeration function is designed to first encrypt files in the configured priority list (which is empty) and then to enumerate and encrypt files in the hardcoded path C:\TEST\. Functions related to the enumeration of logical drives and network shares, as seen in the newer, active sample, were not implemented.”

At the encryption process, same as the active sample, the current sample is performed using an RSA key and creates a new file with the target file path, and appends the file extension ‘.lock64’. 

Researchers observed one behavior that, in the active sample related to the deployment of ransom notes, file wiping, and deletion of Volume Shadow Copies was not implemented in the development sample.

Hackers used the identical format to generates a Bot ID that has been seen in the Anchor DNS malware that associate with Trickbot, and the same format have seen in the Diavol ransomware.

Also, the HTTP headers used for C2 communication are set to prefer Russian language content, which matches the language used by TrickBot operators. Researcher said.

You can Also Read: Ransomware Attack Response and Mitigation Checklist

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Unpatched IT Tool Opens Door – Hackers Breach Billing Software Firm via SimpleHelp RMM

Cybersecurity professionals and business leaders are on high alert following a confirmed breach of...

Fog Ransomware Uses Pentesting Tools to Steal Data and Launch Attacks

Fog ransomware incidents in recent years have exposed a dangerous new trend in cybercrime:...

Sensata Technologies Faces Disruption Due to Ransomware Attack

Sensata Technologies, Inc., a major technology company based in Attleboro, Massachusetts, has disclosed a...