Severity

High

Analysis Summary

The devil ransomware, which is a part of the phobos family of ransomware, are quickly gaining momentum. They infect victim’s files and encrypt them appending the victim’s ID, add a “.devil” extension to filenames, and encrypt their email addresses. For example, a file such as “1.jpg” is renamed to a filename such as “1.jpg.id[1E857D00-2574].[decrypt4data@protonmail.com].devil“, and so on.

The ransomware encrypts the victim’s files and provides instructions on how to retrieve them using said instructions. 

In this case, it creates the “info.txt” file and displays a pop-up window (info.hta).

Cyber criminals often attempt to trick people into installing malware by sending emails that are disguised as important or official, but actually contain malicious attachments and/or web links that download malicious files. If opened, these files/attachments infect operating systems with malware.

Some examples of files that are attached to these emails are Microsoft Office, PDF documents, JavaScript files, executable files such as .exe, and archives in ZIP, RAR and other formats. Malicious software is also installed when people open files downloaded through untrustworthy sources. – Tomas Meskauskas

Impact

• File Encryption
• Data Exfiltration
• Credential Theft
• Financial Loss

Indicators of Compromise

Filename

• devilransom[.]exe[.]devil
• installsetupupdate[.]exe

MD5

• b834c44a3e5298a3f23a1355409d2578
• 6c5a3a112b3940c55f8653597b1b7152

SHA-256

• a6ddcbca65d8fdd771f1d9e271a42e601fcebb5e6f6c49ec30113e930b2cd790
• 471a338122025eb481779092de78653df6434715590d741c95e5138c87147488

SHA-1

• ba9fc22891f7480c49ee9e4d9409f833fc9484d8
• 3578eb4cf6c30d3bd779c5e3b1ddbf6a8a2ab3b5

Remediation

• Block all threat indicators at their respective controls.
• Search for IOCs in your environment.