FBI Flash TLP White: Indicators of Compromise Associated with Diavol Ransomware January 19, 2022

Summary

The FBI first learned of Diavol ransomware in October 2021. Diavol is associated with
developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan.
Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing
file types to encrypt based on a pre-configured list of extensions defined by the attacker. While
ransom demands have ranged from $10,000 to $500,000, Diavol actors have been willing to
engage victims in ransom negotiations and accept lower payments. The FBI has not yet
observed Diavol leak victim data, despite ransom notes including threats to leak stolen
information.

Technical Details

Diavol creates a unique identifier for victim computers via the generation of a System or Bot ID
with the following format:

EXAMPLEHOSTNAME-EXAMPLEUSERNAME_W617601.6A8DA4GEEV11E43V85556FE984GG94W1G

The Bot ID generated by Diavol is nearly identical to the format used by TrickBot and the
Anchor DNS malware, also attributed to Trickbot. Once the Bot ID is generated, Diavol attempts
to connect to a hardcoded command and control (C2) address. If the registration to the botnet
is successful, the infected device connects to the C2 again to request updated configuration
values. Diavol encrypts files and appends the “.lock64” file extension to the encrypted files. The
file contents are encrypted using Microsoft CryptoAPI functions and then written to the new
encrypted file. Diavol can also terminate processes and services.

View the detailed report below.