Diavol
Diavol is a ransomware family associated with the TrickBot/Conti ecosystem. The provided content links it to DEV-0193, which Microsoft reported managed the Ryuk RaaS program before also managing Conti and Diavol, and also states that GOLD ULRICK and TrickBot partnered in operations involving Diavol. Diavol was observed among common ransomware variants in Q4 2022.
Its documented capabilities include encrypting files for impact, deleting specified files, inhibiting recovery, stopping security software, and internal defacement. The content states Diavol can attempt to stop security software, delete Volume Shadow Copies via the IVssBackupComponents COM object by calling DeleteSnapshots, and spread throughout a network via SMB prior to encryption. For discovery and propagation, it can use the ARP table to find remote hosts to scan, and it has an ENMDSKS command to enumerate available network shares. It is also associated with remote system discovery and SMB-based lateral movement behavior.
For encryption, the content states Diavol has encrypted files using an RSA key through the CryptEncrypt API and appends the ".lock64" extension. After encryption, it captures the desktop background window, sets the background color to black, and changes the wallpaper to a newly created bitmap containing the message: "All your files are encrypted! For more information see "README-FOR-DECRYPT.txt"." The malware has used API calls including GetLogicalDriveStrings, SleepEx, SystemParametersInfoAPI, and CryptEncrypt during execution.
The content also notes anti-analysis/obfuscation behavior: Diavol has obfuscated main code routines within bitmap images and is mapped to steganography/obfuscation behavior in ATT&CK-style references. It is further associated with ATT&CK-style behaviors including Data Encrypted for Impact, Data Destruction, Inhibit System Recovery, Internal Defacement, and stopping services.
Contextual reporting in the provided material ties Diavol to Conti/TrickBot operations, including leaked Conti internal chats discussing the Diavol ransomware operation and cryptocurrency payment infrastructure. The content also notes transactions linked to Conti leader "Stern" involving addresses associated with Diavol in 2022.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
DEV-0193 managed the Ryuk RaaS program before the latter’s shutdown in June 2021, and Ryuk’s successor, Conti as well as Diavol.
...Stern has transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
2 techniquesThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
Discovery
7 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”
Lateral Movement
1 techniqueCommand and Control
2 techniquesThe content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
Impact
5 techniques“Sandworm Team deployed CaddyWiper…to wipe files…along with mapped drives, and physical drive partitions… AcidPour…perform an in-depth wipe…through either data overwrite or calling various IOCTLS… AcidRain performs an in-depth wipe… Apostle…data destruction tool… writes random data… resizing… deleting… BlackEnergy 2 contains a ‘Destroy’ plug-in… overwriting file contents… HermeticWiper… recursively wipe folders and files… Industroyer’s data wiper module clears registry keys and overwrites… KillDisk deletes system files to make the OS unbootable… Shamoon attempts to overwrite operating system files and disk structures… WhisperGate… corrupt files by overwriting…”
Attackers move directly to deploying ransomware by editing a Group Policy.
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
"Because ransomware payments are demanded in cryptocurrency – usually Bitcoin..." and "strains related to Trickbot have extorted at least $724 million worth of cryptocurrency"
Other
2 techniquesExamples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
The content repeatedly describes threat actors and malware disabling or modifying security tools, EDR/AV, logging, firewall rules, integrity checkers, and security settings; e.g., 'Agrius used several mechanisms to try to disable security tools' and 'BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.'
Recent activity
27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware referenced as one of the malware variants used by the TrickBot/Conti-linked group.
Ransomware that deletes shadow copies through the IVssBackupComponents COM interface.
Named ransomware family referenced in connection analysis tying it to Karakurt and Conti (via blockchain/financial link analysis).
Referenced as a ransomware subgroup/tool previously associated with Conti, used here as a comparison point for how BlackSuit might be positioned.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.