Called Diavol, the new ransomware was uncovered at the beginning of June, when Fortinet prevented a ransomware attack targeting one of its customers. After successfully halting the attack, the researchers isolated two files that, at that time, weren’t present on VirusTotal: locker.exe and locker64.dll.
“While we were able to identify locker64.dll to be a Conti (v3) ransomware, locker.exe appeared to be entirely different. So, let’s say hello to a new ransomware family,” Fortinet researchers Dor Neeamni and Asaf Rubinfeld wrote in their detailed analysis. They believe that the new ransomware can be attributed to a specific cybercriminal group known as Wizard Spider.
The name of the ransomware comes from a URL associated with the attack the researchers analyzed. Diavol means “devil”.
A Look inside the Diavol Ransomware
The Diavol ransomware drops a ransom note that in a text format in every folder of the compromised system. The note claims that the attackers stole data from the victim’s system. However, the researchers haven’t discovered a sample to prove that, so this claim may be a bluff or a placeholder for future capabilities, Fortinet said.
The ransomware uses a “rather unique encryption procedure,” using user-mode Asynchronous Procedure Calls (APCs) without a symmetric encryption algorithm. “Usually, ransomware authors aim to complete the encryption operation in the shortest amount of time. Asymmetric encryption algorithms are not the obvious choice as they significantly slower than symmetric algorithms,” the report noted.
How did the Diavol ransomware penetrate the system? The method of intrusion is yet to be discovered. Since the researchers came across some errors in the hardcoded configuration, they believe that the Diavol ransomware is “a new tool in the arsenal of its operators which they are not yet fully accustomed to.”
Diavol: possibly the work of the Wizard Spider cybercriminal group
There is enough evidence to support the possibility that the new threat is the work of the Wizard Spider group. The researchers found more Conti payloads locker.exe in the network, strengthening that possibility.
“Despite a few similarities between Diavol, Conti, and other related ransomware, it’s still unclear, however, whether there’s a direct link between them,” the report concluded. Plus, there are some other major differences from attacks previously linked to Wizard Spider, such as the lack of checks to ensure that the payload won’t execute on Russian victims, and the lack of evidence of double extortion.
Last July, security researchers discovered that the Conti ransomware is more advanced than most ransomware families. The ransomware appeared to be programmed with extended hardware compatibility, enabling it to extend its processing over multiple CPU cores. The analyzed samples were able to span to up to 32 threads at the same time which corresponds to the higher end of desktop and server processors currently available.
The Conti ransomware appeared to be created as a hacking tool for intrusions on government agencies and large organizations. These kind of systems and networks are more likely to house servers and machines with hardware parts such as the these high-performing CPUs.