Skip to content
Ransomware group Windows

Diavol

Diavol is a Windows ransomware family associated with the TrickBot and Conti cybercrime ecosystem and operated by actors tracked as DEV-0193, with reporting also linking its distribution to GOLD ULRICK.

Profile source: Mallory opens in a new tab

Diavol

Family profile

Diavol is a Windows ransomware family associated with the TrickBot and Conti cybercrime ecosystem and operated by actors tracked as DEV-0193, with reporting also linking its distribution to GOLD ULRICK. It emerged as one of the ransomware strains used alongside or after Ryuk and Conti within the same broader criminal network.

Diavol encrypts victim files using RSA through the Windows CryptEncrypt API and has been observed appending a distinct encrypted-file extension. It also inhibits recovery by deleting Volume Shadow Copies through the IVssBackupComponents COM interface and can delete selected files from compromised systems. Post-encryption, it modifies the victim desktop by creating a ransom-themed wallpaper and changing the background to display an extortion message.

The malware includes multiple pre-encryption and operational capabilities that support enterprise-wide impact. It can collect the username from a compromised host, communicate with command-and-control infrastructure over HTTP using GET and POST requests, attempt to stop security software, and use the ARP table to identify remote hosts for scanning. Diavol has also been observed spreading through Windows SMB shares prior to encryption, enabling propagation across internal networks.

Diavol is best understood as part of the financially motivated, human-operated ransomware tradecraft surrounding TrickBot and Conti rather than as a standalone commodity strain. Its observed behavior aligns with double-extortion-era ransomware operations that combine host discovery, defense evasion, lateral spread, recovery inhibition, and disruptive victim messaging to maximize pressure on targeted organizations.

Capabilities

  • Defense Evasion
  • Exfiltration
  • Lateral Movement
  • Reconnaissance
  • Scanning

Ransomware.live

Operational record

View group record ↗

Discovery Enum

  • AdFind
  • Advanced IP Scanner
  • ShareFinder

Exfiltration

  • FileZilla

Offsec

  • Cobalt Strike
  • Rubeus

RMM Tools

  • AnyDesk

Reported operators

Threat actors

3 named in public reporting
WIZARD SPIDER

DEV-0193 managed the Ryuk RaaS program before the latter’s shutdown in June 2021, and Ryuk’s successor, Conti as well as Diavol.

Stern

...Stern has transacted with addresses linked to strains like Quantum, Karakurt, Diavol, and Royal in 2022 following Conti’s demise.

MITRE ATT&CK

Diavol in ATT&CK

21 distinct techniques

Reporting

Research mentioning Diavol

Jul 14
Chainalysis

“Stern” Ransomware Operator Sanctioned by EU

As the Chainalysis Reactor graph below shows, Stern transacted with numerous ransomware strains, including Ryuk, Conti, Diavol, Karakurt, Royal, 3am, Quantum, and Bitpaymer.

Jun 15
Security Week

Ukrainian Man Pleads Guilty in US to Conti Ransomware Charges - SecurityWeek

The Conti operation was linked to numerous other malware families, including TrickBot, which was also associated with Bazarloader, SystemBC, IcedID, Ryuk, and Diavol.

May 30
Bleeping Computer

Germany doxxes Conti ransomware and TrickBot ring leader

The group used the Trickbot malware as well as other malware variants such as Bazarloader, SystemBC, IcedID, Ryuk, Conti and Diavol.

Oct 31
Mitre Attack Website

Inhibit System Recovery, Technique T1490 - Enterprise | MITRE ATT&CK®

Diavol can delete shadow copies using the IVssBackupComponents COM object to call the DeleteSnapshots method.

Jul 26
Arctic Wolf

Conti and Akira: Chained Together | Arctic Wolf

The same analysis method allowed our team to identify connections between the Karakurt extortion group, Diavol, and the Conti ransomware group in 2022.

Jun 8
Bleeping Computer

Royal ransomware gang adds BlackSuit encryptor to their arsenal

At this time, we will have to wait and see if BlackSuit is, in fact, a failed experiment or the beginning of a new subgroup like Conti had with Diavol.

Feb 9
Chainalysis

The U.S. and U.K. Sanction Members of Russia-Based Trickbot Cybercrime Gang - Chainalysis

Trickbot has ... partnered with ransomware groups to deploy several strains including Ryuk, Conti, Diavol, and Karakurt.

Jan 20
Coveware

Improved Security and Backups Result in Record Low Number of Ransomware Payments

Most Commonly Observed Ransomware Variants in Q4 2022 ... 7 Diavol 3.2% New in Top Variants

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.