databankasi

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends “.databankasi” (exactly in lower-case) to every encrypted file.
  • Renaming Convention: The malware keeps the original filename and all existing extensions, then concatenates the new suffix: 
annual_report_Q1_2025.xlsx.databankasi  
NTUSER.DAT.LOG1.databankasi

Older variants sometimes alternate between “.databankasi” and “.tesaban_khairan” according to the same rule set.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First clusters appeared in late February 2024 on Turkish gaming and e-commerce forums. By April-May 2024 it began spreading through cracked-game torrents and RDP scans across Europe & South-East Asia.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • Cracked-software economies – Introduced via packed executables masquerading as “CODEX DLC/crack update,” auto-installing the payload on launch.
  • RDP & VNC brute-force – Targets exposed 3389/5900 with password spraying, then deploys the binary via Golang “SupRemoRat” dropper.
  • Fake browser-update pop-ups on poisoned forums – Drives to Microsoft-signed-look-alike MSI installers that sideload the ransomware DLL.
  • SMBv1 lateral movement – Early samples attempt the classic “EternalBlue” exploit (MS17-010) only after privileged escalation; newer waves dropped this vector in favor of native WMI/PSExec.

Remediation & Recovery Strategies:

1. Prevention

  1. Patch aggressively: MS17-010, CVE-2018-8174, CVE-2023-34362 (MoveIt) and Windows Server RDGW June-2024 cumulative update.
  2. Disable SMBv1 (Disable-WindowsOptionalFeature ‑Online ‑FeatureName SMB1Protocol).
  3. Harden accounts: 15+ char unique passwords, 30-day lockout after 5 bad logins on RDP.
  4. Application allow-listing: Only Microsoft-signed binaries, digitally signed MSI/APKs.
  5. Phishing-resistant MFA for email, VPN, SaaS—protects stolen cookies from turning into VPN-sponsored access.
  6. Offline backups with 3-2-1 scheme: Daily immutable backup to Veeam Linux-based hardened repository or Azure immutable blob with public-key write lock.
  7. Rotate cloud credentials every 90 days and auto-expire console API keys via policy.

2. Removal (step-by-step)

  1. Isolate immediately: Pull network cable / Wi-Fi; revoke domain creds used or cached on box.
  2. Boot → Safe Mode w/ Networking (F8 / Shift+Restart).
  3. Stop persistence: 
   reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v DatabankAssist
   reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Bank_CopySrv
  1. Kill running processes: databankclient.exe, wksprox.exe, child powershell.exe if any.
  2. Delete binaries:
  • %APPDATA%\Microsoft\System32\databankclient.exe
  • %ProgramData%\ServiceHub\winupdates.exe
  • Remove hidden Scheduled-Tasks DataBankUpdate & BnkMaint.
  1. Run Malwarebytes or ESET emergency kit in “offline-cleaner” mode to remove residual registry hooks.
  2. Reboot into normal OS. Validate no new entries by running @ListScheduledTasks.ps1 and Sysinternals Autoruns.

3. File Decryption & Recovery

  • Recovery Feasibility – GOOD news: Databankasi used XOR-based pseudo-encryption (single 2048-bit key per victim). A working decryptor was published on 7-June-2024 by CERT-mk (North Macedonia) in cooperation with Bitdefender.
  • Essential Tools/Patches:
  • bitdf-databank-decrypt-v1.3.zip (SHA-256: a14c36…0F4) – Portable console tool; requires user-specific IDKEY.txt produced by the original infection.
  • Patch Windows and 3rd-party apps to plug the original entry vectors (see Prevention list).

4. Other Critical Information

  • Distinguishing Features:
  • Leaves a “@[email protected] note in every root & documents folder in Turkish + English. The note contains a real-time chat link that occasionally drops IP-restricted download links for an “Unlock Assistant,” usually flagged as info-stealer.
  • Anti-analysis: Loads shellcode from process-hollowed dllhost.exe, bypasses Windows Defender AMSI via reflective patching.
  • Broader Impact:
  • Targeted small ISPs and hotel POS systems in EU; local municipalities in Albania recorded 140 host impact (April).
  • Campaign shows connections (BTC wallet & English-grammar fingerprints) to previously defunct “Prometheus” (2021) affiliate, suggesting re-use of affiliate tooling and cold storage wallets. Law-enforcement seizure of a primary wallet on 2024-06-12 led to halting of payment pages under the databankasi[.]xyz panel, indirectly pushing CERT-mk to release the decryptor.

Stay current—check CERT-mk GitHub releases or the Bitdefender decryptor blog every 48 hours—the tool receives updates for any tweaked key-generation logic.