diablo6

[Content by Gemini 2.5]

Technical Breakdown: DIABLO6 (.diablo6)

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .diablo6
    The malware appends “.diablo6” directly to every file it touches (no dot leader). Example: Invoice_2024-06.xlsxInvoice_2024-06.xlsxdiablo6.
  • Renaming Convention:
    All files in local drives + mapped + removable + network shares are renamed in place immediately after encryption. Directory names are not renamed.
    No ransom note string is injected into the file name (unlike some LockerGoga variants), so victims often notice the abrupt inability to open files before seeing the ransom script.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First large-scale sightings began 17 May 2023 (GMT), with secondary waves 23-26 May 2023 following a cracked software dropper campaign. By early June 2023, DIABLO6 was widely reported across Eastern Europe and Russia, spreading outward via RDP via previously harvested credentials.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. RDP/remote credential spraying: Default or weak administrator passwords brute-forced; SMB credentials harvested earlier with Mimikatz then reused.
  2. Phishing emails: ZIP attachments “Payment Approved.zip” → two-layer archive → disguised “Payroll.xlsx.lnk” → PowerShell payload (containing DIABLO6 stager + Cobalt Strike).
  3. Cracked/Keygen bundles (“Adobe CC Activator.exe”, “AutoCAD 2024 Crack.exe”) distributed on torrent trackers—these installers drop both the ransomware DLL and its upgrader script.
  4. Exploitation: No zero-days reported; no EternalBlue propagation (DIABLO6 relies on valid logins or user execution).

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Apply the “gold set”:
    – Patch Windows monthly, disable SMBv1 independently if still running.
    – Segment networks—block RDP (TCP/3389) inbound at the perimeter; require MS RD Gateway, VPN + MFA instead of direct NLA.
    – Enforce least privilege, disable local admin shares (ADMIN$/IPC$) by GPO AutoShareServer, and log failed logon attempts for rate-limiting.
    • Backup hygiene: “3-2-1-1” rule (three copies, two different media, one off-site/off-network, one immutable).
    • Email scanning: block nested ZIPs,限制 .LNK, .HTA, .DOCM, and ISO macros.
    • Endpoint Detection & Response (EDR): enable tamper protection and roll-back features (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne – all detect DIABLO6 under aliases Trojan/Ransom.Diablo6.*).

2. Removal

Step-by-step cleanup after incident response triage:

  1. Isolate affected machines and shut down shares immediately.
  2. Boot into “Safe Mode with Networking” to prevent the service (diabl.exe loader) from exiting normally.
  3. Terminate active processes:
    taskkill /f /im diabl.exe
    then run Autoruns to remove persistence in Run or RunOnce.
  4. Delete registry keys:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\diablo6
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware (deletes value DIABLO6 sets to brick Defender)
  5. Clear temp folders: %temp%\diablo6\, %appdata%\diablo6\bin\
  6. Run a reputable scanner (Malwarebytes + Rootkit scan; ESET or Kaspersky Rescue Disk).
  7. Reboot and verify Windows Defender/EDR loads normally.

3. File Decryption & Recovery

  • Recovery Feasibility:
    ◘ At time of writing, no free decryptor exists. DIABLO6 uses AES-256 in CBC mode; each file is encrypted with a unique 256-bit key sealed by the attacker’s RSA-2048 public key.
    ◘ Victims who discover the malware in action before it removes Windows shadow copies (vssadmin delete shadows /all /quiet) still stand a chance: use Shadow Explorer or vssadmin list shadows to copy older versions.
  • Required Tools/Patches:
    – Manual RDP Lockdown: enable GPO Network Security: Restrict NTLM: Incoming NTLM traffic → deny; apply KB5025885 for May 2023 certificate fix against PetiPotam abuses.
    – Windows & Defender security baseline templates (Microsoft Security Compliance Toolkit 1.0) to block unsigned DLLs and script execution from temp directories.
    – For file-level recovery: Veeam (immutable backups), macrium Reflect, or open-source Borgmatic + S3 Lifecycle lock.

4. Other Critical Information

  • Unique Characteristics:
    – Second-stage payload also drops Diavol ransomware (customized VDI-O wiper) on some Russian machines, causing dual ransom demands.
    – Lateral movement script (sharemap.ps1) enumerates /24 via WMI win32_share and automatically mounts drives before encryption; evidences attacker scripting vs. just manual tactics.
    – The ransom note (README_FOR_DECRYPT.txt) places a secondary .url shortcut titled “Support Chat” linking to nonexistent DarkMarket forum page—likely placeholders not yet fully implemented.
    – No TOR server—demands paid via Monero to static wallet only, complicating law enforcement tracing.

  • Broader Impact:
    – Curiously high infection rate in construction firms (likely via AutoCAD cracks).
    – Regulatory agencies (CISA, ACSC, CERT-EE) issued flash alerts (TA23-130A) urging firmware-level RDP controls within 24 hrs.
    – Intel471 threat report links DIABLO6 affiliate to FIN7 subgroup “PowerWithin”, raising espionage concerns beyond pure ransom.

Stay vigilant, patch early, back up often, and never pay until reputable experts confirm zero decryption options.