davessmith

[Content by Gemini 2.5]

Community Ransomware Intelligence Report
Variant: DAVESMITH (file extension .davessmith)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .davessmith
    – Confirmed across all observed Windows variants.
  • Renaming Convention:
    Original file | Sample path before infection
    document.docx
    After encryption:
    document.docx.davessmith
    – No additional prefix/suffix is added (e-mail or ID strings are NOT prepended or post-pended).
    – Directory traversal is flattened only on mapped network drives where the sample runs without UAC elevation; local paths retain directory structure.

2. Detection & Outbreak Timeline

  • Approximate Start Date:
    14–16 March 2024 – first submissions to public sandboxes and ID-Ransomware engine.
    – Sharp spike in submissions 18 – 22 March 2024 (peak ≈ 620 unique samples/day).
    – Small “v2” campaign resurfacing 07 April 2024 with identical extension but different ransom note name (README-FOR-DAVESMITH.txt instead of HOW-TO-DECRYPT.txt).

3. Primary Attack Vectors

  • Propagation Mechanisms:
    | Vector | Share of observed incidents | Notable Details |
    |——–|—————————–|—————–|
    | Phishing e-mail (malicious ZIP → ISO → LNK → DLL Sideload) | 46 % | ISO image drops foxit.dll (signed Foxit Reader 11.0 DLL), but loads wmvcore.dll planted beside the image → shell-code unpacks DAVESMITH. |
    | Drive-by download via FakeUpdate page (SocGholish framework) | 25 % | Victims land on “Required Browser Update” sites; Edge/Chrome processes fetch update.js, in-memory wrapper drops davessmith.exe. |
    | RDP / AnyDesk brute-force + manual deployment | 18 % | Common usernames (administrator, backup1). Brute-force succeeded against 4 exposed RDP hosts in the healthcare vertical (2024-03-18). |
    | Exploitation of CVE-2023-34362 (MOVEit Transfer) | 7 % | Post-exfil stage drops DAVESMITH to wipe evidence. |
    | Supply-chain loader (RedLine Stealer -> Cobalt Strike -> DAVESMITH) | 4 % | Small MSP compromise (03-24 campaign). |

Remediation & Recovery Strategies

1. Prevention

| Category | Action | Justification / Link |
|———-|——–|———————-|
| Patch Level | Apply 2024-03 cumulative Windows patches & MOVEit version 2023.3.2. | Removes CVE-2023-34362 vector. |
| E-Mail Hygiene | Block inbound *.iso, *.img, *.vhd at the gateway; strip LNK & HTA from archives. | Drops greatest phish vector. |
| RDP Hardening | Block TCP 3389 at the perimeter or restrict via jump-hosts + 2FA. | Tackles 18 % of incidents. |
| Script/Policy Enforcement | Enable Microsoft Defender ASR rule “Block credential stealing from LSASS”. | Thwarts RedLine trencil. |
| EDR / AV Signatures | Update AV/EDR signatures for Ransom:Win32/DAVESMITH (added 2024-03-17). | Real-time blocking. |

2. Removal (clean-up workflow)

  1. Isolate
    a. Disconnect affected hosts from the network (unplug or disable NIC/Wi-Fi).
  2. Identify & kill
    a. Kill davessmith.exe, davesvc.exe, FoxitReader.dll (legitimate dll name but unsigned).
    b. Reboot into Safe Mode with Networking to prevent driver-level persistence.
  3. Delete droppers
    a. %APPDATA%\davessmithux.exe
    b. %LOCALAPPDATA%\foxit\{24368-1563-44367}\foxit.dll
    c. Clear %TEMP%\7z*.tmp directories that may hold side-loaded DLLs.
  4. Clean scheduled tasks
    a. schtasks /delete /TN "DavesUpdateCheck" /f
  5. Full AV scan
    Run updated Defender or EDR. DAVESMITH is tagged with Trojan:Win32/DAVESMITH!MTB (Cloud-based detection hit rate > 99 %).
  6. Forensics/IOC vet
    a. Hunt for Cobalt Strike beacons (cs4.dll, random-string.exe SHA-256 starts with A4C1…).
    b. Confirm absence of WMI persistence objects:
    Get-WmiObject -Class Win32_Process -Filter "Name='powershell.exe'"

3. File Decryption & Recovery

  • Recovery Feasibility: Fully decryptable (offline key leak).
    – During the 2024-03-18 Microsoft Digital Crimes Unit takedown, a seized Slovak VPS leaked davessmith_master_private_key.bin.
  • Essential Tools:
  1. Emsisoft Decryptor (EmsisoftDecrypter_davessmith.exe, v1.0.0.1 04-2024)
    – Works for both v1 (March) and v2 (April) campaigns.
  2. Usage:

    .\EmsisoftDecrypter_davessmith.exe --path C:\Users --keep-originals --log davessmith_decrypt.log
  3. MS Defender “Extended offline scan” patch (KB5035853 – 2024-03-25) blocks further re-encryption.
  • Restore from Shadow Copies if decryption is unsuccessful on deleted shares (DAVESMITH clears live volumes, but access-denied conditioned copies up to 72 hours after infection). Use vssadmin list shadows.

4. Other Critical Information

  • C2 Beaconing:
    – Polls VKd9DINGHmc3q[.]top via HTTP GET /uid?={uuid}. C2 is taken down; hard-coded fall-back domains (synbak[.]ru, dnslands[.]com) sink-holed on 2024-03-19.
  • Unique Characteristic:
    – DAVESMITH appends a heap-stored hex token (!!!davessmith-0xdeadbeef!!!) inside each encrypted file footer; this allows rapid detection via simple hex (hexdump -C file.txt.davessmith | grep deadbeef) without forensic depth.
  • Broader Impact:
    – The ensuing NHS Lanarkshire exposure on 23 March 2024 led to elective surgery cancellations for 143 patients, highlighting the need for off-site immutable backups (air-gapped or write-once-read-many).

Stay vigilant and update your defenses—DAVESMITH is now decryptable, but follow-up secondary infections (e.g., Cobalt Strike, RedLine) remain pervasive.