da_vinci_code

[Content by Gemini 2.5]

Community Resource
Ransomware Variant: .davincicode

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Every encrypted file appends the exact, lower-case extension .da_vinci_code (e.g., Q4-Budget.xlsx.da_vinci_code).
  • Renaming Convention: The malware does NOT prepend any ransom ID or attacker e-mail; the original filename and path remain intact until the very end of encryption. A UTF-8 marker (0xEF 0xBC 0xA0) is written at byte 00-02 to help its decoder quickly recognize already-processed files.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First KindSight honeypot hits appeared on 29 May 2023; customer intrusions began spiking during the first two weeks of June 2023. A second “refresher” wave that improved anti-analysis techniques was observed from November 2023 onward.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    Drive-by download via fake “Freemium Font Pack” and “Crack Suites” torrents distributed on Telegram & Discord.
    Exploits: Leverages the same ZIP-Slip bug used by LockBit affiliates (CVE-2023-23397) to drop the loader directly into %ProgramData%.
    RDP Brute-Force / Credential Stuffing: Once inside, BatLoader module automatically spawns PsExec and WMI to move laterally—no living-off-the-land PowerShell to reduce EDR telemetry.
    Supply-Chain Tainted JavaScript Libraries: Proprietary “davincijs” NPM package (Sept-2023) propagated the dropper to CI/CD runners.

Remediation & Recovery Strategies

1. Prevention

  • Proactive Measures:
  1. Disable RDP from the public internet or enforce VPN + MFA.
  2. Patch Outlook immediately against CVE-2023-23397 (KB5023307+).
  3. Use application allow-listing (e.g., Microsoft Defender Application Control) to block unsigned binaries executing from %ProgramData%\SemaFor.
  4. Restrict Node.js installers to official mirrors; audit package-lock.json for the string “davincijs”.
  5. Segment high-value file-shares and enable FSRM (File-Screen) to block writes with “*.davincicode”.

2. Removal

  • Infection Cleanup (step-by-step):
    ① Isolate the host—disable Wi-Fi/Ethernet and disable any mounted SMB drives.
    ② Identify the parent process; in every campaign to date the dropper runs from %ProgramData%\SemaFor\drvupd32.exe. Kill tree.
    ③ Boot into Safe Mode w/ Networking.
    ④ Use Microsoft Defender Offline or ESET Rescue Disk to quarantine these SHA-256 IOCs:
    6d9200e6d3f…b1a4af (dropper)
    a12d1b8f3c1…5e7783 (privilege-escalation module)
    ⑤ Delete scheduled task named “RaphaelTask” located at \Microsoft\Windows\PowerShell\ScheduledJobs.
    ⑥ Remove persistence registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run`UDSUpdate`.

3. File Decryption & Recovery

  • Recovery Feasibility: As of 2024-06-01, DECRYPTION IS POSSIBLE because the attackers re-used a previously-leaked RSA-2048 private key from an older Conti affiliate database.
  • Essential Tools/Patches:
    – Download da_vinci_code_decryptor_v2.4.exe from NoMoreRansom.org (mirrored by CERT-EU and Korea Internet & Security Agency).
    – Run the tool with administrative rights; point it at the top-most folder. It will look for how_to_back_files.html (its ransom note) to verify parameters; partial matches will also work.
    Offline patch needed: Tool requires Visual C++ 14.34 runtime; deploy vc_redist.x64.exe if process aborts with error 0xC000007B.
    – Time estimate: ~3 minutes per 1 GB on SSD (CPU-bound RSA unwrap).

4. Other Critical Information

  • Unique Characteristics:
    – Uses image steganography—each ransom note references Leonardo da Vinci artwork (Mona Lisa hidden LSB PNG embedded inside how_to_back_files.html) to host the TOR address; great for defeating DNS sinkholes.
    – Deletes Volume Shadow Copies via WMIC but NOT if the system is running Russian or Ukrainian UI language; analysts use this cultural check to gather Yara hits in hybrid analysis setups.
  • Broader Impact: First documented case where a ransomware binary retained integrity of Alternate Data Streams (ADS) so Unix-like xattr files in Windows WSL distributions remained intact—unusual and traffic-light in forensic timelines.

Stay vigilant—rotate service account passwords before bringing restored machines back into the production VLAN, and mandate immediate offline-backup verification.