Posted on Leave a comment

New Ransomware From Wizard Spider Starts Infecting The Victims.

Researchers from Fortinet has identified a new ransomware family Dubbed “Diavol” written in Microsoft Visual C/C++ compiler started infecting the victims in internet. Experts said that they had identified the ransomware has targeted one of its customer containing with two files locker.exe and locker64.dll which were not found in VirusTotal.

Fortinet has also identified that one of the file locker64.dll is to be linked to Conti v3 ransomware and described that this specific malware dropped a ransom note in text format on every folder it has accessed.

Image
Source: Fortinet

“According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities. Browsing to the URL led to us a website, seen in figures 2 and 3, from which we derived the name for the ransomware.” reads the blog post.

On the other hand, IBM X-Force Threat Intelligence team has also got access to the sample which seems to be development version with very less set of features. While analyzing the sample X-Force team has also identified some evidence(Like below) linked to TrickBot malware

The initial execution of the ransomware leads to the collection of basic system information such as Windows version and network adapter details. Then, the ransomware generates a System/Bot ID with the following format:

<hostname>-<username>_W<windows _version>.<guid>

For example:

DESKTOP-4LUGU5I-reuser_W10019041.C3F3799FE69249579857D2039BBBAB11

Researchers also observed that this ransomware family is less interested in infecting Russia and other Commonwealth of independent States language version of OS.

  • 0422 – Ukrainian (Ukraine)
  • 0442 – Turkmen (Turkmenistan)
  • 0444 – Tatar (Russia)
  • 0843 – Uzbek (Cyrillic) (Uzbekistan)
  • 0428 – Tajik (Cyrillic) (Tajikistan)
  • 043F – Kazakh (Kazakhstan)
  • 0423 – Belarusian (Belarus)
  • 082C – Azeri (Cyrillic) (Azerbaijan)
  • 042B – Armenian (Armenia)
  • 0419 – Russian (Russia)

Indicators of Compromise:

File Hashes (SHA256)

85ec7f5ec91adf7c104c7e116511ac5e7945bcf4a8fdecdcc581e97d8525c5ac (Diavol, locker.exe)
426ba2acf51641fb23c2efe686ad31d6398c3dd25c2c62f6ba0621455a3f7178 (Conti v3, locker64.dll)
4bfd58d4e4a6fe5e91b408bc190a24d352124902085f9c2da948ad7d79b72618 (Conti, locker.exe)

File Names

locker.exe
locker64.dll
wscpy.exe
encr.bmp
README_FOR_DECRYPT.txt

File Paths

%PUBLIC%\Pictures\encr.bmp

IPs

173[.]232[.]146[.]118

URLs

hxxp://<server_address>//BnpOnspQwtjCA/register 
hxxp://173[.]232[.]146[.]118/Bnyar8RsK04ug/

Domains

r2gttyb5vqu6swf5[.]onion

Source: Fortinet

–-For more Cyber security write-ups in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply