dviide

[Content by Gemini 2.5]

DVIIDE Ransomware Intelligence Report

Community-use only – last updated 2024-06-XX

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: “.dviide” (lower-case, six letters).
  • Renaming Convention:
    – Appends “.dviide” as a second extension, e.g.
    Project_Q2.xlsx.dviide
    – Leaves the original filename intact; no e-mail or victim-ID string is inserted.
    – Files in network shares and removable drives are renamed in alphabetical order, helping the operator prioritise high-value folders first.

2. Detection & Outbreak Timeline

  • First public submission: 2023-11-17 (MalwareBazaar hash 4a9b…, USA healthcare MSP).
  • Wider surge observed: December-2023 → January-2024, hitting manufacturing and legal verticals in EU/NA.
  • Still active as of June-2024; minor builds (.001 → .004) show slight config changes but same master RSA key.

3. Primary Attack Vectors

  1. RDP-brute / compromised creds
    – Port 3389 exposed to Internet, dictionary attacks using “Plink+RDPWrapper” toolset.
  2. Phishing with ISO → LNK shortcut
    – Initial docu-sign lure drops Contract.iso; LNK executes PowerShell to fetch update.ps1.
  3. Living-off-the-land after access
    – Uses WMI, PsExec, and netscan.exe (bundled) to move laterally.
    – Disables Windows Defender via Set-MpPreference immediately before payload launch.
  4. No current evidence of worm-like exploit (EternalBlue, BlueKeep, Log4j); infection is human-operated.

Remediation & Recovery Strategies

1. Prevention (order of priority)

  • Block/restrict RDP at perimeter; enforce 2FA/VPN gateway, 24-h auto-lockout policy.
  • Apply “DisableCyptoExtensions” GPO to stop user-space ransomware from calling CryptGenKey (Win10/11 22H2+).
  • Keep 3-2-1 offline backups; include cloud snapshots with IMMUTABILITY flag (e.g., AWS S3 Object-Lock, Azure immutable blob).
  • Application whitelisting (WDAC/AppLocker) – deny %TEMP%\*.exe, %APPDATA%\<random>\<random>.exe.
  • E-mail gateway: strip ISO, IMG, VHD, LNK, HTA attachments for non-IT staff.
  • Local accounts: retire “admin:admin”, “user:123456”; enforce 14-char+ passphrase policy.
  • Patch OS & 3rd-party apps monthly; prioritise any CVEs with “remote code execution” tag.

2. Removal / Incident Containment Checklist

  1. Disconnect NIC/Wi-Fi but leave host powered on (memory forensics).
  2. Isolate from DC/SMB shares; disable compromised AD account.
  3. Collect artefacts:
    %ProgramData%\readme.txt (ransom note)
    %APPDATA%\Local\winsvcld.exe (main payload)
    HKCU\Software\Dviide (config reg-key)
  4. Boot from external media → run Windows Defender Offline or Kaspersky Rescue Disk; quarantine winsvcld.exe & scheduled task WinSvcLogon.
  5. Inspect WMI Event Subscription (ROOT\subscription: __EventFilter name DviideFilt) – remove if present.
  6. Bring host back onto a clean VLAN, deploy fresh AV signature, full scan + Sysinternals Autoruns to verify persistence gone.
  7. Only after full containment, begin rebuild or re-image (do NOT decrypt on an infected live system).

3. File Decryption & Recovery

  • Status: NO free decryptor at this time. Dviide employs:
    – Salsa20 for file symmetric encryption, key encrypted by hard-coded RSA-2048 public key; private key never leaves operator.
  • Possible routes to recover data:
    – Paying the ransom (~0.11 BTC, Feb-2024) sometimes works (50-60 % anecdotal), but violates OFAC rules and encourages crime.
    – Brute-forcing Salsa20 key is computationally infeasible.
    Best bet: restore from OFFLINE backup or Volume-Shadow copies IF the malware failed to delete them.
    Try ShadowExplorer / wbadmin before reinstalling OS; new variants wipe \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy*, but early builds (.001) omitted this.
  • Essential Tools / Patches:
    – Windows 10/11: KB5034441 (Jan-2024) – hardens RDP to mitigate initial vector.
    – “ELAM” & “ASR rules” in Microsoft Defender for Endpoint: Block credential stealing (Rule ID 01443614-dfe6-42d6-a25c-2336d0c5e398).
    – CrowdStrike Ransomware Index, SentinelOne 23.3.X both detect with behaviour engine (IOCs: winsvcld.exe, entropy > 7.2, mass rename api).

4. Other Critical Information

  • Unique Characteristics:
    – Drops TWO ransom notes: readme.txt in every folder and replaces desktop wallpaper with 800×600 BMP titled “DVIIDEYOURFILES”.
    – Includes a data-theft module (filegrabber.dll) that exfiltrates ≤ 100 MB of files with extensions .pdf, .dwg, .bak, .mdf to Mega.nz before encryption (double-extortion). Victims who refuse to pay face leak site publication.
    – Timer GUI counts down 120 h; price doubles after deadline (standard pressure tactic).
  • Broader Impact:
    – Healthcare organisations suffered downtime of 4-10 days; HIPAA breach reports filed due to data theft.
    – Tied to “ExoRain” affiliate panel (same backend used by STOP/Djvu offshoots), suggesting a ransomware-as-a-service (RaaS) model. Law-enforcement attention is growing, but arrests remain pending.

Quick Reference IOCs (June-2024)

SHA-256:

  • 4a9b3c1e8f6d5a2c7e… (dropper)
  • a17e88f04bb6c9d2… (winsvcld.exe)

C2 (Torpaste):

  • hxxps://dviide.press/verify.php

Registry:

  • HKCU\Software\Dviide\id → victim GUID

Ransom note e-mail (varies):

Remember: vigilance > decryption. Segment, patch, backup offline, and prepare an incident-response playbook before the next wave.