The Federal Bureau of Investigations (FBI) has detailed evidence connecting the new Diavol ransomware to TrickBot Group, the prolific gang behind the eponymous banking trojan.
Diavol hit researchers’ radars in mid-2021 when Fortinet published a technical analysis of Diavol that established some links to Wizard Spider, another name for Trickbot Group, which researchers have also been tracking in connection with the “double extortion” Ryuk ransomware.
Ryuk is selectively deployed against high-value targets that are subjected to a double extortion racket, where their data is encrypted, stolen and then potentially leaked unless a ransom is paid.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Trickbot’s tools include the Anchor_DNS backdoor, a tool for transmitting data between victim machines and Trickbot-controlled servers using Domain Name System (DNS) tunneling to hide malicious traffic with normal DNS traffic.
The FBI has been on to Diavol since October. Its link between Diavol and Trickbot is that the unique bot identifier (Bot ID) generated by Diavol for each victim is “nearly identical” to the format used by Trickbot and Anchor_DNS malware. Once the Bot ID is generated by Diavol, files on that machine are encrypted and appended with the “.lock64”