When handling an incident, FortiGuard Labs security researchers noticed that Trickbot had begun to deploy Conti and Diavol ransomware in the same attack. According to the researchers, Conti and Diavol had striking similarities including:
“The two ransomware families’… use of asynchronous I/O operations for file encryption queuing to using virtually identical command-line parameters for the same functionality (i.e., logging, drives and network shares encryption, network scanning).”
Despite the similarities, there is no direct connection that the Trickbot gang developed Diavol like Conti and Ryuk. Because Trickbot is used for access as a service for ransomware gangs it is affiliated with, the connection between Diavol and the Trickbot gang cannot be assumed, but from a practical defense perspective, organizations should continue to focus efforts on detecting Trickbot, Cobalt Strike, and domain profiling reconnaissance methods used prior to ransomware deployment.
This is not the first time that multiple ransomware families have been deployed at the same time. Getting ahead on what comes before ransomware is the best way to stop it. Studying reports by the folks at DFIR Report is an excellent way of understanding what commands are performed, what connections are made, and how the dropping malware moves across a system. Incorporating those lessons into detections will only be as valuable as the logs present and the continuous monitoring alongside it. Layering detections on top of good practices like centralized logging and continuous monitoring is one of the most effective ways to get started in defending an organization’s enterprise.