{ "id": "e60b5d4c-19a9-45c4-805f-3515f8f45065", "created_at": "2026-04-06T00:06:39.624481Z", "updated_at": "2026-04-10T03:36:10.980424Z", "deleted_at": null, "sha1_hash": "f60701d96e83001edf74fd255dea542e442e3144", "title": "Free decryptor released for TrickBot gang's Diavol ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1025993, "plain_text": "Free decryptor released for TrickBot gang's Diavol ransomware\r\nBy Sergiu Gatlan\r\nPublished: 2022-03-18 ยท Archived: 2026-04-02 12:40:48 UTC\r\nCybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files\r\nwithout paying a ransom.\r\nDiavol ransomware victims can download the free tool from Emsisoft's servers to decrypt their data using detailed\r\ninstructions available in this usage guide [PDF].\r\n\"The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the\r\nencrypted file to reconstruct the encryption keys needed to decrypt the rest of your data,\" Emsisoft explains.\r\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-trickbot-gangs-diavol-ransomware/\r\nPage 1 of 5\n\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-trickbot-gangs-diavol-ransomware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"By default, the decryptor will pre-populate the locations to decrypt with the currently connected drives and network\r\ndrives.\"\r\nThis Diavol ransomware decryption tool will keep the files encrypted in the attack as a failsafe if the decrypted files are not\r\nidentical to the original documents.\r\nAdditionally, it comes with an \"Allow partial decryption of large files,\" needed to partially recover some files larger than the\r\npair of files provided for reconstructing the encryption keys. This is required because the decryptor might fail to recover\r\nsuch files due to technical limitations.\r\nImage: Emsisoft\r\nUnlike other ransomware families that use symmetric algorithms to speed up the encryption process significantly, Diavol's\r\nencryption procedure employs user-mode Asynchronous Procedure Calls (APCs) with an asymmetric encryption algorithm.\r\nDiavol also comes with no obfuscation as it doesn't use packing or anti-disassembly tricks, but it still hinders analysis efforts\r\nby storing its main routines within bitmap images.\r\nBefore the encryption process is done, Diavol will change encrypted Windows devices' backgrounds to a black wallpaper\r\nwith an \"All your files are encrypted! For more information see README-FOR-DECRYPT.txt\" message.\r\nNotably, while the Diavol ransomware originally created ransom notes named README_FOR_DECRYPT.txt, as the FBI\r\npointed out, BleepingComputer has seen a switch in November to ransom notes named Warning.txt.\r\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-trickbot-gangs-diavol-ransomware/\r\nPage 3 of 5\n\nDiavol ransom note (BleepingComputer)\r\nFortiGuard Labs security researchers first tied this ransomware strain to the TrickBot gang (aka Wizard Spider) after\r\nspotting it deployed on different systems together with Conti ransomware payloads in an attack blocked by the company's\r\nEDR solution in early June 2021.\r\nFollowing their report and likely after the arrest of Alla Witte, who was involved in ransomware development for the\r\nmalware gang, the FBI also formally linked it to the TrickBot cybercrime gang.\r\nThis Russian-based financially motivated cybercrime group operates the Trickbot botnet used to drop second-stage malware\r\non compromised systems and networks.\r\nThe FBI first learned of the ransomware strain in October 2021, and, since then, it has seen ransom demands between\r\n$10,000 and $500,000, with lower payments accepted following ransom negotiations.\r\nThese ransoms are in stark contrast to the massive ransoms demanded by other ransomware gangs linked to TrickBot,\r\nincluding Conti and Ryuk. They have historically requested multi-million dollar payments for decryptors and not leaking\r\nstolen data online.\r\nAlthough active since at least June 2021, Diavol ransomware has never been very active and has only a few dozen\r\nsubmissions on the ID-Ransomware service.\r\nDiavol ransomware activity (BleepingComputer/ID-Ransomware)\r\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-trickbot-gangs-diavol-ransomware/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-trickbot-gangs-diavol-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/free-decryptor-released-for-trickbot-gangs-diavol-ransomware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-trickbot-gangs-diavol-ransomware/" ], "report_names": [ "free-decryptor-released-for-trickbot-gangs-diavol-ransomware" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433999, "ts_updated_at": 1775792170, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f60701d96e83001edf74fd255dea542e442e3144.pdf", "text": "https://archive.orkl.eu/f60701d96e83001edf74fd255dea542e442e3144.txt", "img": "https://archive.orkl.eu/f60701d96e83001edf74fd255dea542e442e3144.jpg" } }