Security analysts provide proof of Diavol ransomware stealing data from infected systems. Earlier, a claim made by the Diavol gang of stealing data from the victim’s machine was considered a bluff according to the FortiGuard Labs’s researchers.
What was observed?
The recent report from SpearTip provides several insights about the Diavol ransomware including its involvement in stealing data.
- The attackers behind Diavol were observed using Cobalt Strike’s HTTP beacon to facilitate the data exfiltration ability.
- This beacon is named sysr[.]dll that was stored in a folder created by the attackers, making the network communication difficult to detect.
- Another challenging technique deployed by actors includes how the beacon injects malware into the memory of compromised applications.
- Researchers further confirmed that the Diavol ransomware group stole data by presenting a proof of data stolen from multiple organizations.
The earlier dilemma
Earlier, the Diavol group claimed that the malware has data-stealing capabilities, while the FortiGuard researchers found no such tool used by the group.
- The recent report provides insights that help address the confusion in FortiGuard's last report about Diavol’s data-stealing activity.
- The fact is that the ransomware group did not include this capability in its executable package and rather leveraged tactics that enable the exfiltration of data from a particularly evasive environment.
Conclusion
The new Diavol group seems to be resilient and evasive in nature. Security professionals need to erect a robust security infrastructure to avoid any unpleasant surprises.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/637f_shutterstock_1031970997.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/05f3_shutterstock_1654106971.jpg)
