Discovery Enum
- AdFind
- Advanced IP Scanner
- ShareFinder
Diavol is a Windows ransomware family associated with the TrickBot and Conti cybercrime ecosystem and operated by actors tracked as DEV-0193, with reporting also linking its distribution to GOLD ULRICK.
Profile source: Mallory opens in a new tabDiavol
Diavol is a Windows ransomware family associated with the TrickBot and Conti cybercrime ecosystem and operated by actors tracked as DEV-0193, with reporting also linking its distribution to GOLD ULRICK. It emerged as one of the ransomware strains used alongside or after Ryuk and Conti within the same broader criminal network.
Diavol encrypts victim files using RSA through the Windows CryptEncrypt API and has been observed appending a distinct encrypted-file extension. It also inhibits recovery by deleting Volume Shadow Copies through the IVssBackupComponents COM interface and can delete selected files from compromised systems. Post-encryption, it modifies the victim desktop by creating a ransom-themed wallpaper and changing the background to display an extortion message.
The malware includes multiple pre-encryption and operational capabilities that support enterprise-wide impact. It can collect the username from a compromised host, communicate with command-and-control infrastructure over HTTP using GET and POST requests, attempt to stop security software, and use the ARP table to identify remote hosts for scanning. Diavol has also been observed spreading through Windows SMB shares prior to encryption, enabling propagation across internal networks.
Diavol is best understood as part of the financially motivated, human-operated ransomware tradecraft surrounding TrickBot and Conti rather than as a standalone commodity strain. Its observed behavior aligns with double-extortion-era ransomware operations that combine host discovery, defense evasion, lateral spread, recovery inhibition, and disruptive victim messaging to maximize pressure on targeted organizations.
Ransomware.live
Reported operators
DEV-0193 managed the Ryuk RaaS program before the latter’s shutdown in June 2021, and Ryuk’s successor, Conti as well as Diavol.
...Stern has transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise.
...deployment of ransomware including Conti and Diavol.
MITRE ATT&CK
Reporting
As the Chainalysis Reactor graph below shows, Stern transacted with numerous ransomware strains, including Ryuk, Conti, Diavol, Karakurt, Royal, 3am, Quantum, and Bitpaymer.
The Conti operation was linked to numerous other malware families, including TrickBot, which was also associated with Bazarloader, SystemBC, IcedID, Ryuk, and Diavol.
The group used the Trickbot malware as well as other malware variants such as Bazarloader, SystemBC, IcedID, Ryuk, Conti and Diavol.
Diavol can delete shadow copies using the IVssBackupComponents COM object to call the DeleteSnapshots method.
The same analysis method allowed our team to identify connections between the Karakurt extortion group, Diavol, and the Conti ransomware group in 2022.
At this time, we will have to wait and see if BlackSuit is, in fact, a failed experiment or the beginning of a new subgroup like Conti had with Diavol.
Trickbot has ... partnered with ransomware groups to deploy several strains including Ryuk, Conti, Diavol, and Karakurt.
Most Commonly Observed Ransomware Variants in Q4 2022 ... 7 Diavol 3.2% New in Top Variants
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.