The Indian government has ordered a ‘Virus Alert’ just after the initial discovery of a strain named Diavol propagating via email. The alert, which was issued on December 21 by The Indian Computer Emergency Response Team or CERT-In, warns of ransomware that is meant to attack Windows machines. After installed, the ransomware remotely shuts down the device and asks for money from the user. The Diavol ransomware has been spreading via email links including a URL connection to OneDrive. After it is been viewed or mounted on the user’s PC, the LNK file masquerading as a Document urges the user to click it.
When the user runs the LNK file, the ransomware installation process begins. Except if the user pays the fee, the information is typically wiped, and the machine could become inoperable. In case you’re unfamiliar with ransomware, it is a type of malware that encrypts a computer system or key documents before tricking victims into paying (usually via cryptocurrency) for the key.
How does the Diavol Ransomware attack?
According to the reports, Microsoft Visual C/C++ Compiler is used to compile Diavol ransomware. This ransomware encrypts user data using an asymmetric encryption method using user-mode Asynchronous Procedure Calls (APCs). The malware is sent by email and includes a OneDrive link in which the victim is instructed to download a ZIP file that includes an ISO file which includes an LNK file and a DLL.
When the ransomware is launched, it mounts on the system and the LNK file, which seems to be a document file, lures the user to open it. The damage is done once it is opened, and the system begins getting infected and multiplied. The infection begins by pre-processing on the computer hard drive, connecting it with a web computer, identifying discs and files to encode, and preventing shadow copies from being deleted. Documents are then locked, and the desktop background is changed to demand a ransom.
What happens after Diavol ransomware infects a PC
Once infecting a PC, the Diavol ransomware performs pre-processing on the target device, which includes enrolling the victim device with a remote server, halting active programmes, finding local discs and files on the device to lock, and blocking recovery by erasing shadow copies. The files are then encrypted, and the desktop background is replaced with a ransom note.
According to CERT-In, “Diavol also lacks any obfuscation as it doesn’t use packing or anti-disassembly tricks, but it still manages to make analysis harder by storing its main routines within bitmap images. When executing on a compromised machine, the ransomware extracts the code from the images’ PE resource section and loads it within a buffer with execution permissions,”.
How to protect yourself from ‘Diavol’ Ransomware?
CERT-In stated, “Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network. Configure firewalls to block access to known malicious IP addresses”
To avoid being infected by this ransomware, users must update their operating systems and applications to the most recent versions. Another way to protect sensitive data and information is by segmenting the network into different security zones. It is possible to separate the operational network from the business processes by implementing physical restrictions and virtual local area networks. If not used, users should turn off their Remote Desktop Protocol (RDP) and, if required, place it behind a secure network. you must r Restrict users’ access to install and use software programmes. Some rights can be limited in order to prevent malware from running or propagating on a system.