{
	"id": "06298715-de07-4f82-a92f-166a67529dab",
	"created_at": "2026-04-06T00:18:39.504507Z",
	"updated_at": "2026-04-10T03:36:11.174224Z",
	"deleted_at": null,
	"sha1_hash": "cb7b507103956936bd9596f1949228d1cbcb0820",
	"title": "FBI links Diavol ransomware to the TrickBot cybercrime group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1982801,
	"plain_text": "FBI links Diavol ransomware to the TrickBot cybercrime group\r\nBy Lawrence Abrams\r\nPublished: 2022-01-20 · Archived: 2026-04-05 17:42:53 UTC\r\nThe FBI has formally linked the Diavol ransomware operation to the TrickBot Group, the malware developers behind the\r\nnotorious TrickBot banking trojan.\r\nThe TrickBot Gang, aka Wizard Spider, are the developers of malware infections that have played havoc on corporate\r\nnetworks for years, commonly leading to Conti and Ryuk ransomware attacks, network infiltration, financial fraud, and\r\ncorporate espionage.\r\nThe TrickBot Gang is most known for its namesake, the TrickBot banking trojan, but is also behind the development of the\r\nBazarBackdoor and Anchor backdoors.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nPrior analysis linked Diavol to TrickBot Group\r\nIn July 2021, researchers from FortiGuard Labs released an analysis of a new ransomware called Diavol (Romanian for\r\nDevil) that was seen targeting corporate victims.\r\nThe researchers saw both Diavol and Conti ransomware payloads deployed on a network in the same ransomware attack in\r\nearly June 2021.\r\nAfter analyzing the two ransomware samples, similarities were discovered, such as their use of asynchronous I/O operations\r\nfor file encryption queuing and almost identical command-line parameters for the same functionality.\r\nAt the time, there was not enough evidence to formally link the two operations.\r\nHowever, a month later, IBM X-Force researchers established a stronger connection between Diavol ransomware and other\r\nTrickBot Gang's malware, such as Anchor and TrickBot.\r\nFBI links Diavol ransomware to TrickBot gang\r\nToday, the FBI has formally announced that they have linked the Diavol Ransomware operation to the TrickBot Gang in a\r\nnew advisory sharing indicators of compromise seen in previous attacks.\r\n\"The FBI first learned of Diavol ransomware in October 2021. Diavol is associated with developers from the Trickbot\r\nGroup, who are responsible for the Trickbot Banking Trojan,\" the FBI states in a new FBI Flash advisory.\r\nSince then, the FBI has seen ransom demands ranging between $10,000 and $500,000, with lower payments accepted after\r\nransom negotiations.\r\nWarning.txt ransom note from Diavol ransomware\r\nThese amounts are in stark contrast to the higher ransoms demanded by other ransomware operations linked to TrickBot,\r\nsuch as Conti and Ryuk, who have historically asked for multi-million dollar ransoms.\r\nFor example, in April, the Conti ransomware operation demanded $40 million from Florida's Broward County School\r\ndistrict and $14 million from chip maker Advantech.\r\nThe FBI was likely able to formally link Diavol to the TrickBot Gang after the arrest of Alla Witte, a Latvian woman\r\ninvolved in the development of ransomware for the malware gang.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/\r\nPage 3 of 5\n\nVitali Kremez, CEO of AdvIntel, who has been tracking the TrickBot operations, told BleepingComputer that Witte was\r\nresponsible for the development of the new TrickBot-linked ransomware.\r\n\"Alla Witte played a critical role for the TrickBot operations and based on the previous AdvIntel deep adversarial insight she\r\nwas responsible for the development of the Diavol ransomware and frontend/backend project meant to support TrickBot\r\noperations with the specific tailored ransomware with the bot backconnectivity between TrickBot and Diavol,\" Kremez told\r\nBleepingComputer in a conversation.\r\n\"Another name for the Diavol ransomware was called \"Enigma\" ransomware leveraged by the TrickBot crew before the\r\nDiavol re-brand.\"\r\nThe FBI's advisory contains numerous indicators of compromise and mitigations for Diavol, making it an essential read for\r\nall security professionals and Windows/network administrators.\r\nIt should be noted that the Diavol ransomware originally created ransom notes named 'README_FOR_DECRYPT.txt' as\r\npointed out by the FBI advisory, but BleepingComputer has seen the ransomware gang switch in November to ransom notes\r\nnamed 'Warning.txt.'\r\nThe FBI also urges all victims, regardless of whether they plan to pay a ransom, to promptly notify law enforcement of\r\nattacks to collect fresh IOCs that they can use for investigative purposes and law enforcement operations.\r\nIf you are affected by a Diavol attack, it is also important to notify the FBI before paying as they \"may be able to provide\r\nthreat mitigation resources to those impacted by Diavol ransomware.\"\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/\r\nhttps://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/"
	],
	"report_names": [
		"fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group"
	],
	"threat_actors": [
		{
			"id": "f6f91e1c-9202-4497-bf22-9cd5ef477600",
			"created_at": "2023-01-06T13:46:38.86765Z",
			"updated_at": "2026-04-10T02:00:03.12735Z",
			"deleted_at": null,
			"main_name": "WIZARD SPIDER",
			"aliases": [
				"TEMP.MixMaster",
				"GOLD BLACKBURN",
				"DEV-0193",
				"UNC2053",
				"Pistachio Tempest",
				"DEV-0237",
				"Storm-0230",
				"FIN12",
				"Periwinkle Tempest",
				"Storm-0193",
				"Trickbot LLC"
			],
			"source_name": "MISPGALAXY:WIZARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e",
			"created_at": "2024-06-04T02:03:07.799286Z",
			"updated_at": "2026-04-10T02:00:03.606456Z",
			"deleted_at": null,
			"main_name": "GOLD BLACKBURN",
			"aliases": [
				"ITG23 ",
				"Periwinkle Tempest ",
				"Wizard Spider "
			],
			"source_name": "Secureworks:GOLD BLACKBURN",
			"tools": [
				"BazarLoader",
				"Buer Loader",
				"Bumblebee",
				"Dyre",
				"Team9",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3",
			"created_at": "2022-10-25T16:07:24.422115Z",
			"updated_at": "2026-04-10T02:00:04.983298Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"DEV-0193",
				"G0102",
				"Gold Blackburn",
				"Gold Ulrick",
				"Grim Spider",
				"ITG23",
				"Operation BazaFlix",
				"Periwinkle Tempest",
				"Storm-0230",
				"TEMP.MixMaster",
				"Wizard Spider"
			],
			"source_name": "ETDA:Wizard Spider",
			"tools": [
				"AdFind",
				"Agentemis",
				"Anchor_DNS",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"Conti",
				"Diavol",
				"Dyranges",
				"Dyre",
				"Dyreza",
				"Dyzap",
				"Gophe",
				"Invoke-SMBAutoBrute",
				"KEGTAP",
				"LaZagne",
				"LightBot",
				"PowerSploit",
				"PowerTrick",
				"PsExec",
				"Ryuk",
				"SessionGopher",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"TrickMo",
				"Upatre",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434719,
	"ts_updated_at": 1775792171,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cb7b507103956936bd9596f1949228d1cbcb0820.pdf",
		"text": "https://archive.orkl.eu/cb7b507103956936bd9596f1949228d1cbcb0820.txt",
		"img": "https://archive.orkl.eu/cb7b507103956936bd9596f1949228d1cbcb0820.jpg"
	}
}