S0659: Diavol
Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The Diavol Ransomware-as-a Service (RaaS) program is managed by Wizard Spider and it has been observed being deployed by Bazar.[1][2][3][4]
Analyst context for executives and security teams
Diavol is a Windows ransomware family documented by ATT&CK as capable of prioritizing which file types to encrypt from an attacker-defined extension list. For leaders, the practical issue is not only encryption: the related ATT&CK relationships show a ransomware workflow that can include discovery of systems, users, files, processes, network shares, SMB/admin-share movement, tool transfer, defense impairment, service stopping, recovery inhibition, defacement, data destruction, and encryption for impact. That makes Diavol relevant to business continuity, backup recoverability, privileged access control, and SOC readiness for fast containment.
Executive priority
Treat this as a ransomware resilience validation case. Executives should ask whether Windows endpoint visibility, SMB/admin-share governance, backup and recovery controls, and incident response decision paths are tested against ransomware behaviors before encryption begins. Because ATT&CK notes Diavol as RaaS managed by Wizard Spider and observed being deployed by Bazar, threat intelligence and IR teams should also ensure reporting can connect malware observations to broader intrusion context without assuming attribution from a single alert.
Technical view
ATT&CK provides no official detection text for Diavol, so defenders should validate coverage around its related behaviors rather than rely on a Diavol-specific signature. On Windows, prioritize visibility for discovery activity, file and directory enumeration, user/process/system information checks, network and share discovery, SMB/Windows admin share access, suspicious inbound tool transfer, web-protocol command-and-control patterns, attempts to impair security tools, service stops, recovery inhibition, and high-volume file modification/encryption. Detection engineering should correlate pre-impact discovery and lateral movement with later impact behaviors to reduce alert fragmentation during ransomware response.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- File creation, rename, modification, and high-volume encryption-like activity on local drives and network shares
- Windows service control events and security tool process/service health events
- SMB/admin share access, authentication, and remote file operation logs
- Network connection and proxy/DNS telemetry for web-protocol command-and-control or tool transfer patterns
Detection direction
- Build behavior-based correlations across discovery, SMB/admin-share access, tool transfer, defense impairment, recovery inhibition, and encryption impact rather than depending only on malware names.
- Tune ransomware detections for high-volume file changes and extension-focused encryption while accounting for legitimate administrative, backup, migration, and data-processing activity that can create similar volume patterns.
- Validate that service-stop and security-tool tampering alerts are high-priority when they occur near discovery or suspicious file activity.
- Confirm that network share and admin-share access is logged with user, host, target share, and authentication context; ransomware often becomes business-critical when shared data is affected.
- Use the Wizard Spider and Bazar relationships as enrichment context for investigations, not as standalone attribution evidence.
Mitigation priorities
- Prioritize tested, isolated, and recoverable backups, including validation that recovery mechanisms cannot be easily disabled from normal endpoint privileges.
- Reduce ransomware blast radius by limiting SMB/admin-share exposure, enforcing least privilege, and reviewing privileged account use on Windows systems.
- Harden and monitor endpoint security tooling so attempts to disable, modify, or stop sensors and services generate response action.
- Segment critical file shares and business systems so discovery and lateral movement do not automatically expose crown-jewel data.
- Exercise incident response playbooks for rapid containment of Windows ransomware activity, including host isolation, credential containment, share access suspension, and recovery decision-making.
Analyst notes and limits
This take is based on the Diavol ATT&CK software object S0659 and its supplied relationships. ATT&CK lists Diavol as Windows malware, describes it as ransomware first observed in June 2021, and states it can prioritize file types for encryption using a preconfigured extension list. ATT&CK also states the Diavol RaaS program is managed by Wizard Spider and has been observed being deployed by Bazar. The strongest defensive value comes from mapping Diavol to related discovery, lateral movement, command-and-control, defense impairment, and impact behaviors.
ATT&CK does not provide official detection guidance for this object, and the object itself has no listed tactics. Local validation is required to determine whether telemetry exists, whether controls cover the relevant Windows behaviors, and whether alerts are tuned for the organization’s administrative baselines. The supplied fields do not support claims about current activity, customer exposure, guaranteed detection, or active exploitation in any specific environment.
Diavol
Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The Diavol Ransomware-as-a Service (RaaS) program is managed by Wizard Spider and it has been observed being deployed by Bazar.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1485 | Data Destruction | Diavol can delete specified files from a targeted system.CitationFortinet Diavol July 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Diavol can collect the username from a compromised host.CitationFortinet Diavol July 2021 |
| Enterprise | T1486 | Data Encrypted for Impact | Diavol has encrypted files using an RSA key though the `CryptEncrypt` API and has appended filenames with ".lock64". CitationFortinet Diavol July 2021 |
| Enterprise | T1489 | Service Stop | Diavol will terminate services using the Service Control Manager (SCM) API.CitationFortinet Diavol July 2021 |
| Enterprise | T1083 | File and Directory Discovery | Diavol has a command to traverse the files and directories in a given path.CitationFortinet Diavol July 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Diavol has used HTTP GET and POST requests for C2.CitationFortinet Diavol July 2021 |
| Enterprise | T1057 | Process Discovery | Diavol has used `CreateToolhelp32Snapshot`, `Process32First`, and `Process32Next` API calls to enumerate the running processes in the system.CitationFortinet Diavol July 2021 |
| Enterprise | T1135 | Network Share Discovery | Diavol has a `ENMDSKS` command to enumerates available network shares.CitationFortinet Diavol July 2021 |
| Enterprise | T1685 | Disable or Modify Tools | Diavol can attempt to stop security software.CitationFortinet Diavol July 2021 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Diavol can spread throughout a network via SMB prior to encryption.CitationFortinet Diavol July 2021 |
| Enterprise | T1491.001 | Internal Defacement Sub-technique | After encryption, Diavol will capture the desktop background window, set the background color to black, and change the desktop wallpaper to a newly created bitmap image with the text “All your files are encrypted! For more information see “README-FOR-DECRYPT.txt".CitationFortinet Diavol July 2021 |
| Enterprise | T1027.003 | Steganography Sub-technique | Diavol has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques.CitationFortinet Diavol July 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Diavol can enumerate victims' local and external IPs when registering with C2.CitationFortinet Diavol July 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | Diavol has Base64 encoded the RSA public key used for encrypting files.CitationFortinet Diavol July 2021 |
| Enterprise | T1018 | Remote System Discovery | Diavol can use the ARP table to find remote hosts to scan.CitationFortinet Diavol July 2021 |
| Enterprise | T1106 | Native API | Diavol has used several API calls like `GetLogicalDriveStrings`, `SleepEx`, `SystemParametersInfoAPI`, `CryptEncrypt`, and others to execute parts of its attack.CitationFortinet Diavol July 2021 |
| Enterprise | T1082 | System Information Discovery | Diavol can collect the computer name and OS version from the system.CitationFortinet Diavol July 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.CitationFortinet Diavol July 2021 |
| Enterprise | T1490 | Inhibit System Recovery | Diavol can delete shadow copies using the `IVssBackupComponents` COM object to call the `DeleteSnapshots` method.CitationFortinet Diavol July 2021 |
Groups, software, and campaigns
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | c4676cdc5e55… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Fortinet Diavol July 2021
Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
Open source URL -
[2]
FBI Flash Diavol January 2022
FBI. (2022, January 19). Indicators of Compromise Associated with Diavol. Retrieved November 17, 2024.
Open source URL -
[3]
DFIR Diavol Ransomware December 2021
DFIR Report. (2021, December 13). Diavol Ransomware. Retrieved March 9, 2022.
Open source URL -
[4]
Microsoft Ransomware as a Service
Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Open source URL -
[5]
Diavol
(Citation: Fortinet Diavol July 2021)
-
[6]
mitre-attack S0659Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.