Emsisoft releases decryption tool for Diavol ransomware

Spread the love

Security company Emsisoft has put a decryption tool online for the Diavol ransomware, which is linked to the Russian Trickbot group, of the malware of the same name. The decryption tool needs an original and an encrypted file to decrypt all encrypted data.

The Diavol ransomware encrypts a victim’s files and then demands a ransom between $10,000 and $500,000 to decrypt the files. The ransomware was released in July 2021 discovered by security company Fortinet and after analysis connections were found between Diavol and the Russian criminals behind the Trickbot malware, which was used to build a giant botnet. emsisoft now has a decryption tool put online for the ransomware, which developed it with the help of Walmart’s threat intel team.

Decryption tool for Diavol from Emsisoft

The decryption tool needs access to a file pair with the original encrypted file and an unencrypted version of the file. This allows it to create the encryption keys needed to decrypt the rest of the encrypted data on a system. The Walmart researchers found that the encryption key performs an XOR operation, which encrypts files in blocks of 2048 bytes. Therefore, known plaintext vulnerabilities can be used to decrypt the files. Emsisoft has automated that in a tool.

Trickbot was initially also used as ransomware, but evolved into malware to build botnets. Diavol was created by the Trickbot developers and added to the malware as a new ransomware layer, the FBI explains out in a pdf. A Latvian woman was charged with co-development of Trickbot in June last year.

You might also like