fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Trickbot Cybercrime Group Linked to New Diavol Ransomware

Trickbot Cybercrime Group Linked to New Diavol Ransomware

FortiGuard Labs security researchers have linked a new ransomware strain dubbed Diavol to Wizard Spider, the cybercrime group behind the Trickbot botnet.

Diavol and Conti ransomware payloads were deployed on different systems in a ransomware attack blocked by the company’s EDR solution in early June 2021.

The two ransomware families’ samples are cut from the same cloth, from the use of asynchronous I/O operations for file encryption queuing to using virtually identical command-line parameters for the same functionality (i.e., logging, drives and network shares encryption, network scanning).

However, despite all similarities, the researchers couldn’t find a direct link between Diavol ransomware and the Trickbot gang, with some significant differences making high confidence attribution impossible.

For instance, there are no built-in checks in Diavol ransomware preventing the payloads from running on Russian targets’ systems as Conti does.

There’s also no evidence of data exfiltration capabilities before encryption, a common tactic used by ransomware gangs for double extortion.

Also Read: The Difference Between GDPR and PDPA Under 10 Key Issues

Diavol ransomware Tor site
Diavol ransomware Tor site (Fortinet)

Diavol ransomware capabilities

Diavol ransomware’s encryption procedure uses user-mode Asynchronous Procedure Calls (APCs) with an asymmetric encryption algorithm.

This sets it apart from other ransomware families as they commonly use symmetric algorithms to significantly speed up the encryption process.

Diavol also lacks any obfuscation as it doesn’t use packing or anti-disassembly tricks, but it still manages to make analysis harder by storing its main routines within bitmap images.

When executing on a compromised machine, the ransomware extracts the code from the images’ PE resource section and loads it within a buffer with execution permissions.

The code it extracts amounts to 14 different routines that will execute in the following order:

  • Create an identifier for the victim
  • Initialize configuration
  • Register with the C&C server and update the configuration
  • Stop services and processes
  • Initialize encryption key
  • Find all drives to encrypt
  • Find files to encrypt
  • Prevent recovery by deleting shadow copies
  • Encryption
  • Change the desktop wallpaper

Right before Diavol ransomware is done, it will change each encrypted Windows device’s background to a black wallpaper with the following message: “All your files are encrypted! For more information see README-FOR-DECRYPT.txt”

“Currently, the source of the intrusion is unknown,” Fortinet says. “The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to.”

Additional Diavol ransomware technical info and indicators of compromise (IOCs) can be found at the end of FortiGuard Labs’s threat research report.

Diavol ransomware wallpaper
Diavol ransomware wallpaper (Fortinet)

Ransomware targets set on enterprises

Wizard Spider, a Russian-based financially motivated cybercrime group that operates the Trickbot botnet used to drop second-stage malware on compromised systems and networks.

Also Read: PDPA Compliance Singapore: 10 Areas to Work On

Trickbot is particularly dangerous to enterprises since it propagates through corporate networks. If it gets admin access to a domain controller, it will also steal the Active Directory database to collect even more network credentials the group can use to make their job easier.

While Microsoft and several partners announced the takedown of some Trickbot C2s after the US Cyber Command also reportedly tried to cripple the botnet, TrickBot is still active, with the group still releasing new malware builds.

The TrickBot gang’s operations entered a higher gear during the summer of 2018 when they started targeting corporate networks using Ryuk ransomware and again in 2020 after switching to Conti ransomware.

The developers of Trickbot have also started deploying the stealthy BazarLoader backdoor in attacks in April 2020, a tool designed to help them compromise and gain full access to corporate networks before deploying the ransomware payloads.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us