Government Warning: New Diavol Virus Spreads Via Email To Rob Your Money

Update: 2021-12-23 18:15 IST

For representational purpose

The Government of India has issued a "Virus Alert" through the Computer Emergency Response Team of India (CERT-In) after a new kind of ransomware was discovered to be spreading via email. The ransomware targets Windows computers, and once the payload is delivered, it locks the PC remotely and prompts the user for money. For those unaware, ransomware is a sophisticated type of malware that completely locks the system or important files and then blackmails users into transferring money (via Bitcoins). If the user does not transfer the ransom, the files are usually deleted, or the PC may be rendered useless.

CERT-In, in its latest notice, warned about the ransomware called Diavol. According to the advisory, the Thai ransomware is compiled with the Microsoft Visual C / C ++ Compiler. "It is encrypting files using user-mode Asynchronous Procedure Calls (APCs) with an asymmetric encryption algorithm," it said.

According to CERT-In, the Diavol malware has spread via email, including a link to OneDrive. The OneDrive link instructs the user to download a compressed file containing an ISO file containing an LNK file and a DLL—once opened (mounted) on the users' system, the LNK file disguised as Document invites the user to click/open it. Once the user executes the LNK file, the malware infection will start.

What happens after Diavol ransomware infects a PC?

After the Diavol malware infects a PC, it performs pre-processing on the victim's system, including registering the victim's device with a remote server, terminating running processes, searching for local drives and files on the system to encrypt and prevent recovery by deleting snapshots. Then the files are locked, and the desktop background is changed with a ransom message.

"Diavol also lacks any obfuscation as it doesn't use packing or anti-disassembly tricks, but it still manages to make analysis harder by storing its main routines within bitmap images.

When run on a compromised machine, the ransomware extracts the code from the PE resource section of the images and loads it into a buffer with execute permissions, "he added.

How to stay safe from Diavol ransomware?

To stay safe from this ransomware, users must update software and operating systems with the latest patches. In addition, scan all incoming and outgoing emails for threats and filter executable files from reaching end users.

Other methods include network segmentation and security zone segregation, which helps protect sensitive information and critical services. Separate the administrative network from business processes with physical controls and virtual local area networks.

"Restrict users' permissions to install and run software applications, and apply the principle of "least privilege" to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network. Configure firewalls to block access to known malicious IP addresses. Users are advised to disable their RDP if not in use; if required, it should be placed behind the firewall, and users are to bind with proper policies while using the RDP," said CERT-In.

Tags:    

Similar News