{ "id": "2a05eb91-06b9-4d9a-bb7a-7b6b878d595f", "created_at": "2026-04-06T00:14:38.655736Z", "updated_at": "2026-04-10T13:13:02.30125Z", "deleted_at": null, "sha1_hash": "7007daca779a8706dd9e75bbb50c672c51ee0d89", "title": "Diavol the Enigma of Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1630800, "plain_text": "Diavol the Enigma of Ransomware\nBy Jason Reaves\nPublished: 2022-03-10 · Archived: 2026-04-05 16:58:08 UTC\nBy: Jason Reaves and Joshua Platt\nPress enter or click to view image in full size\nDiavol ransomware was first publicly reported by Fortinet in July 2021 [1]. The posting included a technical analysis of the\nfile that was allegedly dropped from a previous engagement in June 2021. According to the blog, the Diavol variant was\nfound along side a Conti (v3) sample, which had also been spread during the same attack. In a follow-up article by IBM-Xforce, the researchers concluded a stronger link existed between the development of Diavol and the operators behind\nTrickbot malware.\nWhile multiple samples have been found in the wild, they appear to contain development artifacts. It was clear the locker\nwas utilized but there was no mention of a leak site and nothing had been identified publicly. After analyzing the binary, we\nspotted some interesting infrastructure and began to investigate. The domain name enigma-hq[.]net stood out and was\nassociated with ‘195.123.221[.]248’. According to passive DNS records an update had occurred and enigma-hq[.]net was\nchanged to diavol-news[.]net:\nPress enter or click to view image in full size\nCredit: VirusTotal\nThe HTML revealed a TOR mirror along with the web mirror pointing to ‘diavol-news[.]net’:\n\n[https://xhtnringfhbflc6d.onion](https://xhtnringfhbflc6d.onion)\n\n\u003c/div\u003e\r\n \u003c/div\u003e\r\n \u003c/div\u003e\r\n \u003c/div\u003e\r\nPress enter or click to view image in full size\r\nDiavol Test Leak Site\r\nTechnical Overview\r\nDiavol comes with an interesting assortment of code blocks onboard to accomplish various tasks:\r\nThe BITMAP objects contain the code while the JPEG objects contain the imports that need to be resolved.\r\nhttps://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648\r\nPage 2 of 6\n\nLoading BITMAP\r\nFixing imports from JPEG\r\nThe objects were previously detailed in the Fortinet blog but here is an overview from our own analysis of a recent sample:\r\nhttps://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648\r\nPage 3 of 6\n\nThere is two interesting pieces that we discovered from our analysis, one is that because of the way VSSMOD works you\r\ncan plug and play various ways to wipe shadow copies and the other is the way file encryption works.\r\nShadow copies\r\nFor one of the samples we analyzed the shadow copies were wiped using WinAPI which doesn’t appear to be used very\r\noften by ransomware:\r\nPress enter or click to view image in full size\r\nAfter calling CreateVssBackupComponents you can use the IVssBackupComponents class [5] which can then be leveraged\r\nto delete snapshots.\r\nEncryption\r\nFile encryption in Diavol is interesting, it has a routine for decoding the onboard RSA public key and importing it before\r\nencrypting the key that will be used to encrypt the files. The file encryption key is 2048 bytes long and is randomly\r\ngenerated however the encryption is simply XORing the files in chunks of 2048:\r\nhttps://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648\r\nPage 4 of 6\n\nSince the file encryption key is being used across multiple files and is simply a XOR operation we can abuse known\r\nplaintext vulnerabilities to recover files.\r\nA = ClearText\r\nB = EncryptedFile1\r\nC = EncryptedFile2\r\nkey = A[:2048] ^ B[:2048]\r\nDecodedFileChunk = key[:2048] ^ C[:2048]\r\nWe can test this using files from a sandbox run [6] along with a random MSI file which has a semi static first chunk of bytes,\r\nit won’t be a clean decrypt by any means but would prove out our hypothesis:\r\n\u003e\u003e\u003e clear= open(‘a4ce1d7dfc5ab1fdee8cd0eb97d19c88a04deb8fe6b7b58413a9e2c93eb4a79d.msi’, ‘rb’).read()\r\n\u003e\u003e\u003e b = bytearray(open(‘powerpointmui.msi.lock64’, ‘rb’).read())\r\n\u003e\u003e\u003e c = open(‘sharepointdesignermui.msi.lock64’, ‘rb’).read()\r\n\u003e\u003e\u003e key= bytearray(a[:2048])\r\n\u003e\u003e\u003e for i in range(len(test)):\r\n… test[i] ^= b[i]\r\n…\r\n\u003e\u003e\u003e temp = bytearray(c)\r\n\u003e\u003e\u003e for i in range(len(temp)):\r\n… temp[i] ^= test[i%len(test)]\r\n\u003e\u003e\u003e temp[:5000]\r\nbytearray(b’\\xd0\\xcf\\x11\\xe0\\xa1\\xb1\\x1a\\xe1\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\u003e\\x00\\x03\\x00\\xfe\\xff\\t\\x00\\x06\\\r\n\\x00\\x00\\x00.\\x00\\x00\\x00/\\x00\\x00\\x000\\x00\\x00\\x001\\x00\\x00\\x002\\x00\\x00\\x003\\x00\\x00\\x004\\x00\\x00\\x005\\x00\\x00\\x006\\x00\\x00\\x007\\x00\\x\r\n\u003c..snip..\u003e\r\n%\\x00\\x00\\x00\u0026\\x00\\x00\\x00\\’\\x00\\x00\\x00(\\x00\\x00\\x00)\\x80\\x00\\x00*\\x00\\x00\\x00+\\x00\\x00\\x00,\\x80\\x00\\x00-\r\n\\x00\\x00\\x00.\\x00\\x01\\x00/\\x80\\x00\\x000\\x00\\x00\\x00=\\x00\\x02\\x01\\x12\\x00\\x00\\x007\\x80\\x00\\x00\\xcb\\x7f\\xff\\xff5\\x00\\x00\\x006\\x00\\x00\\x007\\x\r\n5\\xc5lD)\u003e\\xb2D\\xd1\\xb7\\xff\\xff\\xfe\\xff\\xff\\xff\\xfe\\xff\\xff\\xffG\\x00\\x00\\x00H\\x00\\x00\\x00I\\x00\\x00\\x00J\\x00\\x00\\x00K\\x00\\x00\\x00L\\x00\\x00\\x00\r\n\\x15\\xc5lD\\t;\\xe4E@H\\x00\\x00e\\x00\\x00\\x00f\\x00\\x00\\x00g\\x00\\x00\\x00h\\x00\\x00\\x00i\\x00\\x00\\x00j\\x00\\x00\\x00k\\x00\\x00\\x00l\\x00\\x00\\x00m\\x\r\n\\x00\\x10\\x84\\xff\\xff\\x91\\xfb\\x00\\x00\\x12\\x05\\x00\\x00o\\x05\\xff\\xff\\x14\\xfa\\x00\\x00\\x95\\x06\\x00\\x00\\xe9\\x06\\x00\\x00\\x97\\x07\\x00\\x00\\xe7\\x07\\xff\r\n\u003c..snip..\u003e\r\n\\xff7\\xffh\\xff\\xb4\\xff\\xff\\xff\\xb7\\xff\\x8b\\xff\\xb6\\xff\\xff\\xff\\xb1\\xffh\\xff)\\xff\\xff\\xff\\xb3\\xff\\x8b\\xff\\xc6\\xff\\x8b\\xff\\xad\\xff\\xff\\xff\\xac\\xff\\xff\\xff\\xaf\\x\r\nIt appears to have worked and since the file encryption key is generated on a per infection basis we simply only need to\r\nabuse this technique to recover 2048 bytes once in order to then recover all the files on the system.\r\nReferences\r\n1: https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider\r\nGet Jason Reaves’s stories in your inbox\r\nhttps://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648\r\nPage 5 of 6\n\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n2: https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/\r\n3: https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/\r\n4: https://labs.vipre.com/conti-ransomware-part-2-utilizing-server-message-block-smb-to-share-infection/\r\n5: https://docs.microsoft.com/en-us/windows/win32/api/vsbackup/nl-vsbackup-ivssbackupcomponents\r\n6: https://app.any.run/tasks/27db4430-59e5-48c5-8191-f3491f13b3c4#\r\n7: https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/\r\nSource: https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648\r\nhttps://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648" ], "report_names": [ "diavol-the-enigma-of-ransomware-1fd78ffda648" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434478, "ts_updated_at": 1775826782, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7007daca779a8706dd9e75bbb50c672c51ee0d89.pdf", "text": "https://archive.orkl.eu/7007daca779a8706dd9e75bbb50c672c51ee0d89.txt", "img": "https://archive.orkl.eu/7007daca779a8706dd9e75bbb50c672c51ee0d89.jpg" } }