Dangerous New Diavol Ransomware



The SonicWall Capture Labs threat research team has recently observed a new variant of Diavol ransomware.  The ransomware executes its malicious activities by utilizing bitmap objects containing binary code and paired JPEG objects containing the DLL names and associated API strings.

Infection Cycle

When beginning execution, the ransomware checks for the presence of a DWORD value from its .SHARDAT section. If the identified DWORD value is determined to be zero, the ransomware proceeds with its malicious operations. The ransomware increments the aforementioned DWORD value to one, indicating the start of its activity.

Conversely, if the DWORD value is already set to one, the ransomware promptly terminates its execution without initiating any malicious operations.

This method allows the ransomware to execute only once on the system.

Figure 1: DWORD values check

Using VirtualAlloc API, it allocates two memory buffers with read, write and execute (RWX) permissions with the intention of subsequently loading shellcode into these allocated memory regions. Next, it checks for any command line parameters that are passed to the executable.

It supports the parameters below:

  • “-p”:      Path to a file containing files/directories to be encrypted
  • “-h”:      Path to a file containing remote files/directories
  • “-m”:     Mode
  • local:     Encrypts local drives
  • net:       Encrypts network drives
  • scan:     Scan and encrypts network shares
  • all:         Encrypts local and network drives
  • -log”:     Path to a log file

Even if there are no arguments passed, it is still able to successfully encrypt the files locally. Next, it calls time64 to get the current time on the system and uses it as the seed for the srand function to initialize the pseudo-random number generator.

Figure 2: srand function

The ransomware hides its different tasks that are to be performed in bitmaps, which are kept in the PE resource section. Before it runs each task, it copies the binary code from the bitmap to a memory buffer allocated earlier. The imports used by each task are also stored in the resource section under “JPEG” with the same names as the bitmaps.

Figure 3: Resource section containing bitmap objects

The ransomware uses the GENBOTID routine to create a unique identifier for the victim’s system. It calls LoadBitmapW, CreateCompatibleDC, SelectObject and GetObjectW. After that, it calls GetDIBits to retrieve the bits of the bitmap image and copy them into the memory buffer as a DIB.

Figure 4: GENBOTID’s bitmap Image and its corresponding binary view

Once the binary code of the GENBOTID bitmap is loaded into the memory, it loads the corresponding name resource file into memory using the FindResource and LoadResource APIs.

Figure 5: GENBOTID’s resource section

The resource file contains the names of the DLLs and the APIs that are to be used in the routine. This helps the ransomware avoid walking the PEB structure to resolve its imports dynamically. It manually calls the LoadLibrary and GetProcAddress APIs which are present in the resource file, and the resolved API addresses are stored at the end of the buffer. It generates the bot id in the format below:

<computer_name> + <username> + “_W” + <OS version in hex> + “.” + <random_GUID_bytes in hex>

Figure 6: BotID

It then builds the content of the POST request as seen below:


Figure 7: POST request

It has a hardcoded list of the service names to be stopped from running on the victim’s system.

Figure 8

List of Service names:

 [DefWatch”, “ccEvtMgr”, “ccSetMgr”, “SavRoam”, “dbsrv12”, “sqlservr”, “sqlagent”, “Intuit.QuickBooks.FCS”, “dbeng8”, “QBIDPService”, “Culserver”, “RTVscan”, “vmware-usbarbitator64”, “vmware-converter”, “VMAuthdService”, “VMnetDHCP”, “VMUSBArbService”, “VMwareHostd”, “SQLADHLP”, “msmdsrv”, “tomcat6”, “QBCFMonitorService”, “Acronis VSS Provider”, “SQL Backups”, “SQLsafe Backup Service”, “SQLsafe Filter Service”, “Symantec System Recovery”, “Veeam Backup Catalog Data Service”, “Zoolz 2 Service”, “AcrSch2Svc”, “ARSM”, “BackupExecAgentAccelerator”, “BackupExecAgentBrowser”, “BackupExecDeviceMediaService”, “BackupExecJobEngine”, “BackupExecManagementService”, “BackupExecRPCService”, “BackupExecVSSProvider”, “bedbg”, “MMS”, “mozyprobackup”, “ntrtscan”, “PDVFSService”, “SDRSVC”, “SNAC”, “SQLWriter”, “VeeamBackupSvc”, “VeeamBrokerSvc”, “VeeamCatalogSvc”, “VeeamCloudSvc”, “VeeamDeploymentService”, “VeeamDeploySvc”, “VeeamEnterpriseManagerSvc”, “VeeamHvIntegrationSvc”, “VeeamMountSvc”, “VeeamNFSSvc”, “VeeamRESTSvc”, “VeeamTransportSvc”, “sms_site_sql_backup”, “MsDtsServer”, “MsDtsServer100”, “MsDtsServer110”, “msftesql$PROD”, “MSOLAP$SQL_2008”, “MSOLAP$SYSTEM_BGC”, “MSOLAP$TPS”, “MSOLAP$TPSAMA”, “MSSQL$BKUPEXEC”, “MSSQL$ECWDB2”, “MSSQL$PRACTICEMGT”, “MSSQL$PRACTTICEBGC”, “MSSQL$PROD”, “MSSQL$PROFXENGAGEMENT”, “MSSQL$SBSMONITORING”, “MSSQL$SHAREPOINT”, “MSSQL$SQL_2008”, “MSSQL$SQLEXPRESS”, “MSSQL$SYSTEM_BGC”, “MSSQL$TPS”, “MSSQL$TPSAMA”, “MSSQL$VEEAMSQL2008R2”, “MSSQL$VEEAMSQL2012”, “MSSQLFDLauncher”, “MSSQLFDLauncher$PROFXENGAGEMENT”, “MSSQLFDLauncher$SBSMONITORING”, “MSSQLFDLauncher$SHAREPOINT”, “MSSQLFDLauncher$SQL_2008”, “MSSQLFDLauncher$SYSTEM_BGC”, “MSSQLFDLauncher$TPS”, “MSSQLFDLauncher$TPSAMA”, “MSSQLSERVER”, “MSSQLServerADHelper”, “MSSQLServerADHelper100”, “MSSQLServerOLAPService”, “MySQL57”, “MySQL80”, “OracleClientCache80”, “ReportServer$SQL_2008”, “RESvc”, “SQLAgent$BKUPEXEC”, “SQLAgent$CITRIX_METAFRAME”, “SQLAgent$CXDB”, “SQLAgent$ECWDB2”, “SQLAgent$PRACTTICEBGC”, “SQLAgent$PRACTTICEMGT”, “SQLAgent$PROD”, “SQLAgent$PROFXENGAGEMENT”, “SQLAgent$SBSMONITORING”, “SQLAgent$SHAREPOINT”, “SQLAgent$SQL_2008”, “SQLAgent$SQLEXPRESS”, “SQLAgent$SYSTEM_BGC”, “SQLAgent$TPS”, “SQLAgent$TPSAMA”, “SQLAgent$VEEAMSQL2008R2”, “SQLAgent$VEEAMSQL2012”, “SQLBrowser”, “SQLSafeOLRService”, “SQLSERVERAGENT”, “SQLTELEMETRY”, “SQLTELEMETRY$ECWDB2”, “mssql$vim_sqlexp”, “IISAdmin”, “NetMsmqActivator”, “POP3Svc”, “SstpSvc”, “UI0Detect”, “W3Svc”, “aphidmonitorservice”, “intel(r) proset monitoring service”, “unistoresvc_1af40a”, “audioendpointbuilder”, “MSExchangeES”, “MSExchangeIS”, “MSExchangeMGMT”, “MSExchangeMTA”, “MSExchangeSA”, “MSExchangeSRS”, “msexchangeadtopology”, “msexchangeimap4”, “Sophos Agent”, “Sophos AutoUpdate Service”, “Sophos Clean Service”, “Sophos Device Control Service”, “Sophos File Scanner Service”, “Sophos Health Service”, “Sophos MCS Agent”, “Sophos MCS Client”, “Sophos Message Router”, “Sophos Safestore Service”, “Sophos System Protection Service”, “Sophos Web Control Service”, “AcronisAgent”, “Antivirus”, “AVP”, “DCAgent”, “EhttpSrv”, “ekrn”, “EPSecurityService”, “EPUpdateService”, “EsgShKernel”, “ESHASRV”, “FA_Scheduler”, “IMAP4Svc”, “KAVFS”, “KAVFSGT”, “kavfsslp”, “klnagent”, “macmnsvc”, “masvc”, “MBAMService”, “MBEndpointAgent”, “McAfeeEngineService”, “McAfeeFramework”, “McAfeeFrameworkMcAfeeFramework”, “McShield”, “McTaskManager”, “mfefire”, “mfemms”, “mfevtp”, “MSSQL$SOPHOS”, “sacsvr”, “SAVAdminService”, “SAVService”, “SepMasterService”, “ShMonitor”, “Smcinst”, “SmcService”, “SntpService”, “sophossps”, “SQLAgent$SOPHsvcGenericHost”, “swi_filter”, “swi_service”, “swi_update”, “swi_update_64”, “TmCCSF”, “tmlisten”, “TrueKey”, “TrueKeyScheduler”, “TrueKeyServiceHelWRSVC”, “vapiendpoint”]


Similar to the services name list, it also has a list of processes to be terminated if found running on the system.

Process name list:

[“iexplore.exe”, “msedge.exe”, “chrome.exe”, “opera.exe”, “firefox.exe”, “savfmsesp.exe”, “zoolz.exe”, “firefoxconfig.exe”, “tbirdconfig.exe”, “thunderbird.exe”, “agntsvc.exe”, “dbeng50.exe”, “dbsnmp.exe”, “isqlplussvc.exe”, “msaccess.exe”, “msftesql.exe”, “mydesktopqos.exe”, “mydesktopservice.exe”, “mysqld-nt.exe”, “mysqld-opt.exe”, “mysqld.exe”, “ocautoupds.exe”, “ocssd.exe”, “oracle.exe”, “sqlagent.exe”, “synctime.exe”, “thebat.exe”, “thebat64.exe”, “encsvc.exe”, “ocomm.exe”, “xfssvccon.exe”, “excel.exe”, “infopath.exe”, “mspub.exe”, “onenote.exe”, “outlook.exe”, “powerpnt.exe”, “visio.exe”, “wordpad.exe”, “CNTAoSMgr.exe”, “mbamtray.exe”, “NtrtscPccNTMon.exe”, “tmlisten.exe”, “sqlmangr.exe”, “RAgui.exe”, “QBCFMonitorService.exe”, “supervise.exe”, “fdhost.exe”, “Culture.exe”, “RTVscan.exe”, “Defwatch.exe”, “wxServerView.exe”, “GDscan.exe”, “QBW32.exe”, “QBDBMgr.exe”, “qbupdate.exe”, “axlbridge.exe”, “360se.exe”, “360doctor.exe”, “QBIDPService.exe”, “wxServer.exe”, “httpd.exe”, “fdlauncher.exe”, “MsDtSrvr.exe”, “tomcat6.exe”, “java.exe”, “wdswfsafe.exe”]

For enumerating the disk, it uses GetLogicalDriveStringsW to get the list of all drives on the system. The drive letters are then converted into lowercase, and only those drives that are DRIVE_REMOTE or DRIVE_FIXED are processed.

Figure 9: Checking drive type

It also checks whether the drives are present in the exclusion list. The default list of the path is:

*.exe,*.sys,*.dll,*.lock64,*readme_for_decrypt,*locker.txt,*unlocker.txt,%WINDIR%\,%PROGRAMFILES%\,%PROGRAMW6432%\,*\Microsoft\,*\Windows\,*\Program Files*\,%TEMP%\.

Figure 10: Checking for the exclusion path

The encrypted files names are appended with a .lock64 extension and the file README_FOR_DECRYPT.txt is created in that directory.

Figure 11

Figure 12: Ransomware note


It also changes the wallpaper.

Figure 13: Ransomware wallpaper


Once the process is completed, it deletes itself.

Figure 14: Command for self-deletion


SonicWall Protections:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: DiavolCrypt.RSM (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.