S0659: Diavol

Diavol is a Windows ransomware family documented by ATT&CK as capable of prioritizing which file types to encrypt from an attacker-defined extension list. For leaders, the practical issue is not only encryption: the related ATT&CK relationships show a ransomware workflow that can include discovery of systems, users, files, processes, network shares, SMB/admin-share movement, tool transfer, defense impairment, service stopping, recovery inhibition, defacement, data destruction, and encryption for impact. That makes Diavol relevant to business continuity, backup recoverability, privileged access control, and SOC readiness for fast containment.

Executive priority

Treat this as a ransomware resilience validation case. Executives should ask whether Windows endpoint visibility, SMB/admin-share governance, backup and recovery controls, and incident response decision paths are tested against ransomware behaviors before encryption begins. Because ATT&CK notes Diavol as RaaS managed by Wizard Spider and observed being deployed by Bazar, threat intelligence and IR teams should also ensure reporting can connect malware observations to broader intrusion context without assuming attribution from a single alert.

Technical view

ATT&CK provides no official detection text for Diavol, so defenders should validate coverage around its related behaviors rather than rely on a Diavol-specific signature. On Windows, prioritize visibility for discovery activity, file and directory enumeration, user/process/system information checks, network and share discovery, SMB/Windows admin share access, suspicious inbound tool transfer, web-protocol command-and-control patterns, attempts to impair security tools, service stops, recovery inhibition, and high-volume file modification/encryption. Detection engineering should correlate pre-impact discovery and lateral movement with later impact behaviors to reduce alert fragmentation during ransomware response.

Likely telemetry

Windows endpoint process creation and command-line telemetry
File creation, rename, modification, and high-volume encryption-like activity on local drives and network shares
Windows service control events and security tool process/service health events
SMB/admin share access, authentication, and remote file operation logs
Network connection and proxy/DNS telemetry for web-protocol command-and-control or tool transfer patterns

Detection direction

Build behavior-based correlations across discovery, SMB/admin-share access, tool transfer, defense impairment, recovery inhibition, and encryption impact rather than depending only on malware names.
Tune ransomware detections for high-volume file changes and extension-focused encryption while accounting for legitimate administrative, backup, migration, and data-processing activity that can create similar volume patterns.
Validate that service-stop and security-tool tampering alerts are high-priority when they occur near discovery or suspicious file activity.
Confirm that network share and admin-share access is logged with user, host, target share, and authentication context; ransomware often becomes business-critical when shared data is affected.
Use the Wizard Spider and Bazar relationships as enrichment context for investigations, not as standalone attribution evidence.

Mitigation priorities

Prioritize tested, isolated, and recoverable backups, including validation that recovery mechanisms cannot be easily disabled from normal endpoint privileges.
Reduce ransomware blast radius by limiting SMB/admin-share exposure, enforcing least privilege, and reviewing privileged account use on Windows systems.
Harden and monitor endpoint security tooling so attempts to disable, modify, or stop sensors and services generate response action.
Segment critical file shares and business systems so discovery and lateral movement do not automatically expose crown-jewel data.
Exercise incident response playbooks for rapid containment of Windows ransomware activity, including host isolation, credential containment, share access suspension, and recovery decision-making.

Analyst notes and limits

This take is based on the Diavol ATT&CK software object S0659 and its supplied relationships. ATT&CK lists Diavol as Windows malware, describes it as ransomware first observed in June 2021, and states it can prioritize file types for encryption using a preconfigured extension list. ATT&CK also states the Diavol RaaS program is managed by Wizard Spider and has been observed being deployed by Bazar. The strongest defensive value comes from mapping Diavol to related discovery, lateral movement, command-and-control, defense impairment, and impact behaviors.

ATT&CK does not provide official detection guidance for this object, and the object itself has no listed tactics. Local validation is required to determine whether telemetry exists, whether controls cover the relevant Windows behaviors, and whether alerts are tuned for the organization’s administrative baselines. The supplied fields do not support claims about current activity, customer exposure, guaranteed detection, or active exploitation in any specific environment.

Official MITRE ATT&CK definition

Diavol

Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker. The Diavol Ransomware-as-a Service (RaaS) program is managed by Wizard Spider and it has been observed being deployed by Bazar.[1][2][3][4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 19 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1485	Data Destruction	Diavol can delete specified files from a targeted system.[1]
Enterprise	T1033	System Owner/User Discovery	Diavol can collect the username from a compromised host.[1]
Enterprise	T1486	Data Encrypted for Impact	Diavol has encrypted files using an RSA key though the `CryptEncrypt` API and has appended filenames with ".lock64". [1]
Enterprise	T1489	Service Stop	Diavol will terminate services using the Service Control Manager (SCM) API.[1]
Enterprise	T1083	File and Directory Discovery	Diavol has a command to traverse the files and directories in a given path.[1]
Enterprise	T1071.001	Web Protocols Sub-technique	Diavol has used HTTP GET and POST requests for C2.[1]
Enterprise	T1057	Process Discovery	Diavol has used `CreateToolhelp32Snapshot`, `Process32First`, and `Process32Next` API calls to enumerate the running processes in the system.[1]
Enterprise	T1135	Network Share Discovery	Diavol has a `ENMDSKS` command to enumerates available network shares.[1]
Enterprise	T1685	Disable or Modify Tools	Diavol can attempt to stop security software.[1]
Enterprise	T1021.002	SMB/Windows Admin Shares Sub-technique	Diavol can spread throughout a network via SMB prior to encryption.[1]
Enterprise	T1491.001	Internal Defacement Sub-technique	After encryption, Diavol will capture the desktop background window, set the background color to black, and change the desktop wallpaper to a newly created bitmap image with the text “All your files are encrypted! For more information see “README-FOR-DECRYPT.txt".[1]
Enterprise	T1027.003	Steganography Sub-technique	Diavol has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques.[1]
Enterprise	T1016	System Network Configuration Discovery	Diavol can enumerate victims' local and external IPs when registering with C2.[1]
Enterprise	T1027	Obfuscated Files or Information	Diavol has Base64 encoded the RSA public key used for encrypting files.[1]
Enterprise	T1018	Remote System Discovery	Diavol can use the ARP table to find remote hosts to scan.[1]
Enterprise	T1106	Native API	Diavol has used several API calls like `GetLogicalDriveStrings`, `SleepEx`, `SystemParametersInfoAPI`, `CryptEncrypt`, and others to execute parts of its attack.[1]
Enterprise	T1082	System Information Discovery	Diavol can collect the computer name and OS version from the system.[1]
Enterprise	T1105	Ingress Tool Transfer	Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.[1]
Enterprise	T1490	Inhibit System Recovery	Diavol can delete shadow copies using the `IVssBackupComponents` COM object to call the `DeleteSnapshots` method.[1]

Associated objects

Groups, software, and campaigns

G0102: Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Nov 12, 2021, 19:02 UTC (UTC+00:00)
Modified: Nov 17, 2024, 20:10 UTC (UTC+00:00)
Raw hash: c4676cdc5e553792...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	2.0	Nov 17, 2024, 20:10 UTC (UTC+00:00)	Current bundle	`c4676cdc5e55…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Fortinet Diavol July 2021

Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
Open source URL
[2]
FBI Flash Diavol January 2022

FBI. (2022, January 19). Indicators of Compromise Associated with Diavol. Retrieved November 17, 2024.
Open source URL
[3]
DFIR Diavol Ransomware December 2021

DFIR Report. (2021, December 13). Diavol Ransomware. Retrieved March 9, 2022.
Open source URL
[4]
Microsoft Ransomware as a Service

Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Open source URL
[5]
Diavol

(Citation: Fortinet Diavol July 2021)
[6]
mitre-attack S0659
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams