2 min read

FBI Links Diavol Ransomware to Trickbot, Offers IOCs and Mitigations

Filip TRUȚĂ

January 21, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
FBI Links Diavol Ransomware to Trickbot, Offers IOCs and Mitigations

The FBI’s Internet Crime Complaint Center (IC3) has issued a flash alert connecting Diavol ransomware to the threat actors behind the Trickbot banking Trojan.

The FBI’s cyber division says it first learned of Diavol ransomware in October 2021. Analysts quickly associated the data-encrypting malware to the developers of Trickbot, the infamous banking Trojan with capabilities that make for a modular malware ecosystem.

Trickbot attack vectors include batch files, email phishing, Google Docs, fake sexual harassment claims, and the usual malware-laden executables.

According to the IC3, The bot ID generated by Diavol is nearly identical to the format used by Trickbot and the Anchor DNS malware, also attributed to Trickbot.

As for the ransomware payload, Diavol encrypts files using an RSA encryption key and cherry-picks file types to encrypt based on a pre-configured list of extensions.

“While ransom demands have ranged from $10,000 to $500,000, Diavol actors have been willing to engage victims in ransom negotiations and accept lower payments,” reads the notice. “The FBI has not yet observed Diavol leak victim data, despite ransom notes including threats to leak stolen information.”

The flash alert includes a rather simple technical overview of the malware’s behavior, along with a few clear indicators of compromise to help IT administrators identify an ongoing attack or infection.

A ransom note example is also included, along with the usual recommended mitigations, such as:

· Have a recovery plan in place

· Implement network segmentation

· Keep regular backups and password-protected copies offline

· Use antivirus

· Keep everything up to date and patched

· Use strong passwords and multi-factor authentication

· Require admin credentials to install new software

· Conduct cybersecurity awareness and training programs

The fed asks Diavol victims to not just report the incident to their local field office but also to share any details that might help investigators identify and catch the perps.

This includes communication logs to and from foreign IP addresses, Bitcoin wallet information, the decryptor file or a benign sample of an encrypted file.

“Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under US law,” according to the alert.

As always, the agency discourages victims from paying ransoms, as payment does not guarantee files will be recovered, and will likely also embolden the threat actors to strike again.

“However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers,” the agency notes.

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Researchers Find Thousands of Websites that Record Everything You Type Researchers Find Thousands of Websites that Record Everything You Type
Radu CRAHMALIUC

May 16, 2022

2 min read
Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online
Silviu STAHIE

May 13, 2022

2 min read
Mozilla Says Many Health and Prayer Apps Are Pose Security Risks Mozilla Says Many Health and Prayer Apps Are Pose Security Risks
Silviu STAHIE

May 09, 2022

2 min read