Researchers from Fortinet has identified a new ransomware family Dubbed “Diavol” written in Microsoft Visual C/C++ compiler started infecting the victims in internet. Experts said that they had identified the ransomware has targeted one of its customer containing with two files locker.exe and locker64.dll which were not found in VirusTotal.

Fortinet has also identified that one of the file locker64.dll is to be linked to Conti v3 ransomware and described that this specific malware dropped a ransom note in text format on every folder it has accessed.

Source: Fortinet

“According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities. Browsing to the URL led to us a website, seen in figures 2 and 3, from which we derived the name for the ransomware.” reads the blog post.

On the other hand, IBM X-Force Threat Intelligence team has also got access to the sample which seems to be development version with very less set of features. While analyzing the sample X-Force team has also identified some evidence(Like below) linked to TrickBot malware

The initial execution of the ransomware leads to the collection of basic system information such as Windows version and network adapter details. Then, the ransomware generates a System/Bot ID with the following format:

<hostname>-<username>_W<windows _version>.<guid>

For example:


Researchers also observed that this ransomware family is less interested in infecting Russia and other Commonwealth of independent States language version of OS.

  • 0422 – Ukrainian (Ukraine)
  • 0442 – Turkmen (Turkmenistan)
  • 0444 – Tatar (Russia)
  • 0843 – Uzbek (Cyrillic) (Uzbekistan)
  • 0428 – Tajik (Cyrillic) (Tajikistan)
  • 043F – Kazakh (Kazakhstan)
  • 0423 – Belarusian (Belarus)
  • 082C – Azeri (Cyrillic) (Azerbaijan)
  • 042B – Armenian (Armenia)
  • 0419 – Russian (Russia)

Indicators of Compromise:

File Hashes (SHA256)

85ec7f5ec91adf7c104c7e116511ac5e7945bcf4a8fdecdcc581e97d8525c5ac (Diavol, locker.exe)
426ba2acf51641fb23c2efe686ad31d6398c3dd25c2c62f6ba0621455a3f7178 (Conti v3, locker64.dll)
4bfd58d4e4a6fe5e91b408bc190a24d352124902085f9c2da948ad7d79b72618 (Conti, locker.exe)

File Names


File Paths








Source: Fortinet

–-For more Cyber security write-ups in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s