[BreachExchange] FBI Warns Organizations of Diavol Ransomware Attacks
Terrell Byrd
terrell.byrd at riskbasedsecurity.com
Fri Jan 21 11:34:09 EST 2022
https://www.securityweek.com/fbi-warns-organizations-diavol-ransomware-attacks
The Federal Bureau of Investigation (FBI) this week shared a series of
indicators of compromise (IoCs) associated with the Diavol ransomware
family.
Diavol was initially detailed in July 2021 as a new tool in the arsenal of
Wizard Spider, the cybercrime group known for operating the TrickBot botnet
and the Conti and Ryuk ransomware families.
As part of a typical Diavol attack, in addition to deploying the ransomware
to encrypt files on compromised systems, the threat actor claims to
exfiltrate the victim’s data and uses that as leverage, threatening to
publish the data online if the victim doesn’t pay the ransom.
While Wizard Spider has set up a Tor site on which it names victims and
publishes files stolen during Conti ransomware attacks, no data stolen from
the organizations targeted with Diavol has been leaked online yet, the FBI
says.
The Bureau also notes that Diavol ransom payment demands have ranged from
$10,000 to $500,000 so far and that the attackers showed willingness to
engage in negotiations with their victims, ultimately accepting lower
payments.
Diavol, which employs RSA encryption, was observed focusing on specific
file types, based on a list defined by its operators. The malware appends
the “.lock64” extension to the encrypted files and drops a ransom note
instructing victims to access a Tor website to receive a decryption key.
The ransomware was observed generating for each victim computer a unique
identifier (which is nearly identical to that employed by TrickBot) and
then attempting to connect to a hardcoded command and control (C&C) server.
The FBI encourages Diavol victims to share any information they can on the
attacks and points out they should not pay a ransom, as that would not
guarantee the recovery of the encrypted/stolen data.
Organizations can mitigate the risk of ransomware attacks through data
backups (including offline, password-protected backups), network
segmentation, multi-factor authentication, employee training, and by using
anti-malware solutions on all systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220121/bbe79e03/attachment.html>
More information about the BreachExchange
mailing list