FBI Links Diavol Ransomware to Trickbot Banking Trojan

Colin Thierry
Colin Thierry Writer
Colin Thierry Colin Thierry Writer

The FBI’s Internet Crime Complaint Center (IC3) has issued a flash alert connecting Diavol ransomware to hackers who are behind the Trickbot banking Trojan, according to a notice late last week.

The FBI’s cyber division said it first learned of Diavol ransomware in October. Analysts quickly associated the data-encrypting malware with the developers of Trickbot. Trickbot is an infamous banking Trojan with capabilities that potentially allow for a modular malware ecosystem.

The banking Trojan attacks vectors that include batch files, email phishing, Google Docs, fake sexual harassment claims, and malware-rich executables.

According to the IC3, the bot ID generated by Diavol is nearly identical to the format used by Trickbot and the Anchor DNS malware, which is also attributed to Trickbot.

In regard to the ransomware payload, Diavol encrypts files using an RSA encryption key and cherry-picks file types in order to encrypt based on a pre-configured list of extensions.

“While ransom demands have ranged from $10,000 to $500,000, Diavol actors have been willing to engage victims in ransom negotiations and accept lower payments,” the FBI said in the release. “The FBI has not yet observed Diavol leak victim data, despite ransom notes including threats to leak stolen information.”

The flash alert included a simple technical overview of the malware’s behavior and a few clear compromise indicators in order to help IT administrators identify an ongoing attack or infection.

A ransom note example was also included, along with standard recommended mitigations. These include having a recovery plan in place, implementing network segmentation, keeping regular backups and password-protected copies offline, using an antivirus, keeping everything patched and updated, using strong passwords and multi-factor authentication, requiring admin credentials to install new software, and conducting cybersecurity awareness and training programs.

The FBI asked Diavol victims to share any details that might help investigators identify and catch the cybercriminals, along with reporting the incident to their local field office.

These details could include communications logs to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, or a benign sample of an encrypted file.

“Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under US law,” the FBI said.

The agency also discouraged victims from paying ransoms to any hackers. Payment does not guarantee that stolen files will be recovered and will likely encourage the threat actors to attack again, the FBI added.

“However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers,” the agency noted.

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.