diavol

Diavol is a ransomware strain first observed in June 2021, associated with the Wizard Spider threat group—best known for operating the TrickBot malware and the Conti ransomware. It uses a double-extortion model, encrypting victim files and exfiltrating sensitive data for additional leverage. The ransomware is written in C and employs a multi-threaded encryption routine using the ChaCha20 algorithm with RSA-2048 to secure encryption keys. Early variants appended no custom extension to files, relying instead on changing file headers, but later versions began appending extensions. Initial access vectors include exploitation of vulnerable systems and the use of TrickBot or BazarLoader infections as staging points. Victims are directed to a Tor-based negotiation portal through ransom notes.