Ransomware | 06/10/2019

Davda ransomware – The new threat in the digital world

About: After the successful file encryption, Davda ransomware creates a private decryption key on the remote server. Hence, to get the key for corrupted documents, victim is forced to pay the ransom.

| Ransomware | Davda ransomware – The new threat in the digital world

Guide to remove Davda Ransomware

The DJVU ransomware is making its presence felt since December 2018. Encrypting files from thousands of Windows OS, the DJVU family is back with this new strain – Davda Ransomware.

ransomware-attacks

Once, this ransomware attack the system, it immediately looks for the targeted files. The files which are targeted are commonly found on most Computers these days. It includes audio – video files, images, document files and what not!

Hence, following are a few extensions, which are targeted by Davda Ransomware virus: .docx, .pdf, .html, .txt, .jpeg, .png, .gif, .mp3, .mpeg, .mpg.

After corrupting the targeted files, a ransom demanding message is generated in ‘readme.txt’ file.

As a result, the victim is forced to pay the money, in order to restore the files.

davda rasnowmare

 

Threat Summary

Name Davda
Type Ransomware
Category Malware
Targeted OS Windows
Targeted Browser Google Chrome, Internet Explorer

 

Understanding Davda Ransomware

After successful infiltration, Davda ransomware scans every inch of your system to find the targeted files. This ransomware encrypts the files and appends a unique extension to them. Davda extension is attached to the encrypted files, which makes them unusable. The ransomwares of DJVU family delivers the same ransom note after the file encryption and Davda is no exception.

At the same time, an additional file, named “readme.txt” is generated in every folder containing the encrypted file. This text file contains the ransom demanding message.

Unfortunately, a unique decryption key is generated while encrypting the files. This key is created on the hacker’s server and large amount of ransom is demanded in its exchange.  Once the files are corrupted, restoring them manually is next to impossible task. Hence, the victim is bound to pay the asked ransom.

Hackers are smart now-a-days and know how to fiddle with the minds of their victims. As Bait, they allow users to send one encrypted file to them! To gain the trust, Hackers decrypt this sample encrypted file and send it back to the user! The moment user falls for the bait and makes the payment, he / she is often left ignored by these hackers!

As a smart user, you should avoid falling in such luring claims and instead search for a full-proof Davda ransomware removal method from your system.

 

Threat Behavior

RSA – 1024 encryption algorithm is used by Davda ransomware to encrypt the files. Once, the files are encrypted, the malicious ransomware appends ‘.davda’ extension to them. Here are the points describing the threat behavior of this latest ransomware:

  • Symptoms

Once the system has scanned all the files and encrypts them, it attaches a unique extension to them. The changed extension makes the corrupted files inaccessible. In addition, this malicious ransomware displays a ransom demanding note every time you try to access the corrupted files.

  • Ransom Note

After the file encryption, an additional text file is generated in every folder. This file contains the ransom demanding message and helps the victim on how to get the decryption key.

This is the message that Davda ransomware display:

Ransom Note

  • Ransom Amount

Cyber criminals, ask for large amount of ransom, in order to provide the decryption key. The victim has to pay $980 to restore the data. A 50% discount is offered to the victims who contact the hackers within 72 hours of encryptions. In that case, victim has to pay $490. Keep in mind, the ransom is accepted in the form of Bitcoins.

  • Contact Details

The hacker’s contact details are provided if you have any query regarding the transaction. At the bottom of the ransom note, you will find the e-mail addresses to contact the hacker. In case of Davda ransomware infiltration, the contact e-mails are:

stoneland@firemail.cc

gorentos@bitmessage.ch

@datarestore (Telegram)

 

Distribution Techniques

The primary gateway of this ransomware is Spam E-Mails with infected attachments.

Forged header information is given to make them look legitimate. The ultimate aim of hackers is to extort money by tricking you. These e-mails inform you about the undelivered package or a shipment made by you. Out of curiosity, as soon as you open the attached PDF or Word Document, the Davda ransomware infiltrates your system.

This way the cyber criminals trick the innocent users like you.

Apart from the spam e-mails, Trojans are another way, these malicious applications infiltrates your system. Their intentions are to inject additional malicious software. Davda ransomware silently injects ‘AZORult Trojan’ in your system.

However, at times, this destructive ransomware exploits vulnerabilities in the windows Operating system. Exploit kits, malicious downloads/sites, torrent websites or nasty advertisements are a few gateways for this ransomware.

In the end, the major reasons for computer infiltrations are reckless behavior and poor knowledge.

If your system is infiltrated with this notorious ransomware, here are the steps to get rid of Davda Ransomware.

 

Removal steps of Davda ransomware

 

STEP A: Reboot system to safe mode

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click  Restart.
  3. When the screen goes blank, Keep tapping  F8  Key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Networking  option from the list and press the Enter Key. The system will then restart to Safe Mode with Networking.

5 Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Networking. The system will then restart to Safe Mode with Networking.
  5. Click on the username and enter the password.

If the most basic step failed to remove the ransomware from your system, you can try the next step.

STEP B: Delete suspicious file in system Configuration settings

  1. Type “Msconfig” in search box / Run Box, select it and press Enter.
  2. Click on “Services” Tab and click on “Hide all Microsoft services”.
  3. Select Davda Ransomware from the list of remaining services and disable it by removing the tick mark from the checkbox and click on Apply button.

Windows 7

  1. Click on the next tab – “Startup”.
  2. Find any blank or suspicious entry or the entry with Davda ransomware mentioned and remove the check mark.
  3. Click on Apply button and then click on OK.

Windows 10

  1. Click on the next tab – “Startup”.
  2. Take the mouse cursor to ‘Open task Manager‘ link and click on it.  This opens the Task Manager window.
  3. Find any blank or suspicious entry or the entry with Davda rasnomware mentioned and click on it.
  4. Then click on Disable button.

If the configuration did not work, try deleting the suspicious file using Command Prompt.

STEP C: Delete the suspicious file using Command Prompt

Once the system starts, ensure to use an account with administrative privilege to access Safe Mode with Command Prompt.

After the user enters admin credentials, Command prompt window is displayed wherein you are entitled to enter the below commands:

  1. Type the command “sc delete Davda Rasnomware” in the command prompt and press Enter.
  2. Type “exit” to exit the command prompt and restart the system in safe mode with command prompt.

 

If the malicious file still remains in your system, you have to try the ultimate step.

STEP D: Restore system Files and Folders

Method 1 using Control Panel

  1. Click on the ‘Start’ button on the taskbar. This will open the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel window.
  3. In the Control Panel window, click on the ‘View by:’ button on the top right. Select the Large Icon option
  4. In the control Panel window click on the ‘Recovery Icon’. This will open a window that will ask ‘Restore the computer to an earlier point in time’.
  5. Click on the ‘Open system restore’ button. This will open the ‘system restore ’window where you need to click on the Next Button.
  6.  Select the restore point that is prior the infiltration of Davda rasnomware. After doing that, click Next.
  7. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Davda Rasnomware.

OR

Method 2 using Command Prompt

  1. Type cmd in the search box and click on the command prompt to open the Command Prompt window. box and clicking on it.
  2. Once the Command Prompt window shows up, enter cd restore and click Enter.(Ensure that you in the system32 directory of Windows folder in C Drive)
  3. Now type rstrui and press Enter again.
  4. When a new window shows up, click Next and select your restore point that is prior the infiltration of Davda Ransomware. After doing that, click Next.
  5. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Davda Ransomware.

 

OR

Method 3 : Directly type 'rstrui' in the search box

  1. Type ‘Rstrui’ in the search box present on the task bar. This will open the System restore dialog box.

Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.

Tips to remove Davda ransomware

  1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
  2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
  3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
  4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
  5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like Vipre and Hitman so that it remains safe.
  6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.

Hits: 139

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866