Tag Archive for: Diavol

‘Diavol’ Ransomware Virus Hacks PC Via Email, And Blackmails You To Pay Money


The Indian government has issued an alert for a harmful virus spreading through email that is locking down people’s computers in exchange for a ransom. 

Diavol virusCERT-In

Also Read: CERT-In Warns Of Multiple Vulnerabilities In WhatsApp, WhatsApp Business For iOS

To the unaware, such an attack is often referred to as ‘ransomware’. It is essentially malware that takes control of a computer and locks down all of its files and data and blackmails the victims to transfer a particular amount to the ransomers, sometimes in a specific time frame. Failing to do so could result in the deletion of crucial data.

The Indian Computer Emergency Response Team (CERT-In) has notified new ransomware, dubbed Diavol Virus, has been affecting several computers across the nation. 

How it attacks

According to CERT-In, the ransomware is compiled with Microsoft Visual C/C++ Compiler. The ransomware encrypts files of users by making use of user-mode Asynchronous Procedure Calls (APCs) with an asymmetric encryption algorithm.

The ransomware is being shared via email and also has a OneDrive link with it, where it asks the user to download the ZIP file that consists of an ISO file that consists of another LNK file and a DLL. When opened, it mounts on to a system and the LNK file, which looks like a document file, tempts the user to open it. After it’s opened, the damage is done and the system begins to get infected and multiply. 

Also Read: Indian Govt’s Cyber Watchdog Says Update Your Google Chrome Browser Immediately

The virus starts by pre-processing on the victim’s computer, registering it with a remote server, locating drives and files to encrypt, while also preventing deletion of shadow copies. Files are then locked up and it changes the desktop wallpaper demanding ransom.

hackerUnsplash

How to stay safe?

To avoid coming in contact with Diavol Virus, CERT-In recommends keeping their antivirus software — either Windows defender or other third party software — up to date to prevent Diavol from entering the system.

Alternatively, don’t download stuff from unknown sender’s drive or their attachments, to prevent the infected file from getting active. 

Also Read: UP Govt’s COVID-19 Tracker Bug Exposed Over 80 Lakh…

Source…

Diavol ransomware sample shows stronger connection to TrickBot gang


Diavol ransomware sample shows stronger connection to TrickBot gang

A new analysis of a Diavol ransomware sample shows a more clear connection with the gang behind the TrickBot botnet and the evolution of the malware.

The recent research is the second one that finds common ground in the code of the two threats, tying them to the same actor.

Early sample comes with hints

Previous analysis of Diavol (Romanian for Devil) ransomware from Fortinet’s FortiGuard Labs revealed a set of similarities with the TrickBot malware as well as differences that prevented high-confidence attribution of the code.

Fortinet’s assessment at the beginning of July noted that both Diavol and Conti – a ransomware family strongly connected with TrickBot – used the same command-line parameters for a variety of tasks (logging, encryption, scanning).

A report from the IBM X-Force threat analysts Charlotte Hammond and Chris Caridi provides clues pointing to a stronger connection between Diavol ransomware and the TrickBot gang.

Unlike the sample analyzed by Fortinet, which was a newer, “fully functional and weaponized piece of ransomware,” the one that IBM examined is an older variant closer to a development version used for testing purposes.

The incomplete state of the malware contained the signs that allowed the researchers to reach a more reliable conclusion.

IBM X-Force looked at a sample submitted to Virus Total on January 27, 2021, with a reported compilation date of March 5, 2020. By comparison, the compilation date for the version in Fortinet’s analysis is April 30, 2021.

The researchers noticed that Diavol ransomware collected basic information from the infected system and generated a System or Bot ID that help the attacker track multiple intrusions from affiliates in the ransomware-as-a-service (RaaS) operation.

Diavol ransomware’s Bot ID format includes the hostname, username, and Windows version of the compromised system, and a global unique identifier (GUID). The format is “almost identical” to the one generated by TrickBot malware, the analysts note.

[hostname]-[username]_W[windows _version].CBMic2h0dHBzOi8vd3d3LmJsZWVwaW5nY29tcHV0ZXIuY29tL25ld3Mvc2VjdXJpdHkvZGlhdm9sLXJhbnNvbXdhcmUtc2FtcGxlLXNob3dzLXN0cm9uZ2VyLWNvbm5lY3Rpb24tdG8tdHJpY2tib3QtZ2FuZy_SAXdodHRwczovL3d3dy5ibGVlcGluZ2NvbXB1dGVyLmNvbS9uZXdzL3NlY3VyaXR5L2RpYXZvbC1yYW5zb213YXJlLXNhbXBsZS1zaG93cy1zdHJvbmdlci1jb25uZWN0aW9uLXRvLXRyaWNrYm90LWdhbmcvYW1wLw

A very similar Bot ID pattern has been seen with Anchor DNS, another piece of malware attributed to the TrickBot gang, the researchers say in their…

Source…