davda

[Content by Gemini 2.5]

================================================================================
RANSOMWARE PROFILE – DAVDA
Community-based technical dossier & recovery playbook

Version 1.0 – 30-May-2024

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmed extension appended: “.davda” (lower-case)
Typical renaming convention:
[original-file-name].[extension].davda – in English that means your report.xlsx is turned into report.xlsx.davda and the byte structure is overwritten from offset 0 for the first 128 KiB (which destroys the original file header completely).

2. Detection & Outbreak Timeline

First appearance / seeding cluster: 05-Oct-2018 (early sightings on Russian bulletin boards).
Peak propagation window: November 2018 – June 2019, largest single-purpose wave associated with massive malvertising campaigns from the RIG and GrandSoft exploit kits.
Still circulating: Yes, but now only in re-branded “child variants” and affiliate kits forwarded by the original developers under the STOP/Djvu family umbrella.
Identifier aliases/AV signatures: Win32/Filecoder.STOP (ESET), Trojan:Win32/StopCrypt (Defender), Ransom:Win32/StarkWare, Mal/CoNBE-A (Sophos).

3. Primary Attack Vectors

  1. Exploit kits
    • Leverages RIG EK and GrandSoft EK dropping Vidar/Amadey loader that installs DAVDA as a final stage.
  2. Cracked software torrents & “keygen.exe” bundles – the most productive channel (~55 % of reported infections).
  3. Spam/phishing e-mails (.ISO, .IMG, .PPS file attachments) that run a hidden .js or .vbs after double-click.
  4. RDP brute-force – used occasionally to traverse breached networks, but not the initial entry point in most cases.
  5. Vulnerabilities – in 2018 wave: old Oracle WebLogic (CVE-2017-10271), later in 2019 moved on to Citrix Netscaler (CVE-2019-19781).

Important 2024 note: the underlying strain stopped evolving and is morphing into STOP/Djvu derivatives carrying the same .davda but the master RSA public key inside the sample has changed from 2048- to 4096-bit – older decryptors no longer work.

Remediation & Recovery Strategies

1. Prevention

| Domain | Action items |
|—————————-|———————————————————————————————————————————————————————————|
| Software & OS | • Patch aggressively: Windows October 2018 KB4462933 and later, and any follow-up March-2024 cumulative stack.
• Disable WebDav service via registry (HKLM\SYSTEM\CurrentControlSet\Services\WebDAV) – DAVDA relies on it for drive-mapping<|reservedtoken163809|> |
| Email & Browsing | • Strip ISO, IMG, RAR, ZIP with exe/js content at the gateway.
• Block macros from executing if the file is downloaded from the internet. |
| Accounts & Perimeters | • Enforce 14-16-char passwords & 2FA on RDP and externally-exposed services.
• Segment networks – file-shares significantly reduce blast radius. |
| Backups | • 3-2-1 rule with immutable off-site/cloud backup (write-once media or object lock). Make daily automated snapshot and monthly backup-campaign password protected offline. |

2. Removal / Clean-Up Playbook

  1. Disconnect – cut power to Wi-Fi / Ethernet immediately to stop file encryption in progress.
  2. Boot into Safe Mode or WinRE.
  3. Collect forensic image of the infected disk (optional, for later law-enforcement hand-off).
  4. Run reputable AV or boot-disk tools (ESET Online Scanner, Kaspersky Rescue, Windows Defender Offline). Remove signature patterns: 
   %Temp%\[5-random-hex]\[random].exe
   %AppData%\Services\ServiceManager.exe
   HKCU\Software\Classes\.davda
   HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2
   RunOnce key: “{random 6-chars}\{random 8-chars} = %AppData%\…\zm.exe”
  1. Purge shadow-copy reset: DAVDA runs vssadmin delete shadows /all – still check vssadmin list shadows.
  2. Verify persistence removal by scanning scheduled tasks (schtasks /query) for “SystemUpdate” and similar entries — delete if found.
  3. Reboot to normal mode.

3. File Decryption & Recovery

Free decryptor public? Yes, for DAVDA version 1164 and older (DSCHHELMAIN key sets). STOPDecrypter (v2.1.2.0) and the Emsisoft Decryptor for STOP/Djvu can recover files only if the malware used an “offline key” (You’ll see in the ransom note these lines: Extension = davda, Id = 0237xxx ending in t1 — that’s offline).
No – when impossible: If the system ID ends in t2 (online key), decryption is tied to the master RSA key which is server-side – no public key break available.
Step-by-step after cleanup:

  1. Obtain the Emsisoft Decryptor directly from emsisoft.com (avoids copy-cat malware).
  2. Run it with admin rights on the clean OS, let it fetch latest offline key list (stops.csv).
  3. Choose the root of the encrypted drive and hit “Decrypt” – expect 2–3 GB/min speed.
    Crypto-reversal tools irrelevant here – DAVDA uses AES-256 in CBC + RSA-2048; brute-forcing is computationally unfeasible.

4. Other Critical Information

Ransom note: “_readme.txt” with standardized template “Don’t worry, you can return all your files!”. Only the extension line changes per sub-campaign.
Exfiltration: Pure encrypt-and-forget; no data theft in the original strain but later STOP variants may exfiltrate credentials via Vidar and AZORult.
UAC bypass trick: DAVDA copies itself into %APPDATA%\SysWOW64\ using icacls to inherit SYSTEM rights, making AV false-positive whitelists more confusing.
Impact snapshot: From BleepingComputer incident reports, +8 000 consumer PCs in Eastern Europe / LATAM / South-East Asia were Appendix A (Oct-2019). Corporate infections remained rare due to DAVDA’s poor lateral-movement logic.

================================================================================
Quick-Reference Check List
✓ See extension “*.davda” – isolate, run Emsisoft tool only after AV clean-up.
✓ ID ending “t2” → Restore from offline backup.

✓ Patch: Windows MS18-OCT, Java, Adobe, Citrix, and disallow macros in Office.