This article has been indexed from E Hacking News – Latest Hacker News and IT Security News
The Wizard Spider threat organization, which is behind the Trickbot botnet, has been connected to a new ransomware outbreak called Diavol, as per security experts.
According to BleepingComputer, the ransomware families use almost similar command-line parameters for the same functionality and leverage the same I/O operations for file encryption queueing.
Although there are some commonalities, as they’ve indicated and as SpearTip has confirmed, there are two key distinctions that make a direct link unlikely. By performing a location check, Diavol ransomware does not prevent its payloads from executing on Russian targets. This is significant since most malware avoids Russian systems.
Data Exfiltration FortiGuard Labs explains in their analysis of Diavol that, “According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities.”
Following additional analysis by SpearTip’s engineers, the Diavol ransomware gang appears to be stealing data. Despite the lack of this capacity in the ransomware executable, the group employs techniques that allow for the exfiltration of data from a, particularly evasive environment.
For Cobalt Strike, the Diavol ransomware gang utilizes an HTTP beacon, which appears to be used to assist data exfiltration. The beacon’s name was sysr.dll, and it was kept in a
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: SpearTip: New Diavol Ransomware Does Steal Data