Diavol Ransomware - DFIR Report
Industry: N/A | Level: Operational | Source: DFIR-Report
Intrusion analysis from The DFIR Report identified a BazarLoader infection leading to the deployment of Diavol Ransomware. The threat actor associated with Diavol ransomware is suspected to be Wizard Spider. The intrusion spanned over the course of three days in which the threat actors initial access was obtained from BazarLoader, delivered through a phishing email containing a malicious OneDrive link and following the infection, internal reconnaissance activity was initiated along with the execution of a batch script obtaining credentials located in the registry hives. Following an 18 hour break in activity, additional reconnaissance activity was initiated along with usage of the Rubeus tool, lateral movement with RDP and AnyDesk, with data exfiltration using FileZilla. Lastly, along with ransomware deployment a batch script was executed removing volume shadow compiles and stopping services.
- Anvilogic Scenarios:
- Diavol Ransomware
- BazarLoader Behaviors