FBI Links Diavol Ransomware to Trickbot, Offers IOCs and Mitigations

The FBI’s Internet Crime Complaint Center (IC3) has issued a flash alert connecting Diavol ransomware to the threat actors behind the Trickbot banking Trojan.

The FBI’s cyber division says it first learned of Diavol ransomware in October 2021. Analysts quickly associated the data-encrypting malware to the developers of Trickbot, the infamous banking Trojan with capabilities that make for a modular malware ecosystem.

Trickbot attack vectors include batch files, email phishing, Google Docs, fake sexual harassment claims, and the usual malware-laden executables.

According to the IC3, The bot ID generated by Diavol is nearly identical to the format used by Trickbot and the Anchor DNS malware, also attributed to Trickbot.

As for the ransomware payload, Diavol encrypts files using an RSA encryption key and cherry-picks file types to encrypt based on a pre-configured list of extensions.

“While ransom demands have ranged from $10,000 to $500,000, Diavol actors have been willing to engage victims in ransom negotiations and accept lower payments,” reads the notice. “The FBI has not yet observed Diavol leak victim data, despite ransom notes including threats to leak stolen information.”

The flash alert includes a rather simple technical overview of the malware’s behavior, along with a few clear indicators of compromise to help IT administrators identify an ongoing attack or infection.

A ransom note example is also included, along with the usual recommended mitigations, such as:

· Have a recovery plan in place

· Implement network segmentation

· Keep regular backups and password-protected copies offline

· Use antivirus

· Keep everything up to date and patched

· Use strong passwords and multi-factor authentication

· Require admin credentials to install new software

· Conduct cybersecurity awareness and training programs

The fed asks Diavol victims to not just report the incident to their local field office but also to share any details that might help investigators identify and catch the perps.

This includes communication logs to and from foreign IP addresses, Bitcoin wallet information, the decryptor file or a benign sample of an encrypted file.

“Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under US law,” according to the alert.

As always, the agency discourages victims from paying ransoms, as payment does not guarantee files will be recovered, and will likely also embolden the threat actors to strike again.

“However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers,” the agency notes.