Home Malware Programs Ransomware DaVinci Ransomware

DaVinci Ransomware

Posted: August 20, 2020

The DaVinci Ransomware is a file-locking Trojan that encrypts the contents of the user's hard drives for holding their media hostage. Although its ransom note, a screen-blocking pop-up, claims otherwise, the Trojan doesn't include an authentic recovery service, which functionally makes it no different from a file-wiper Trojan. Users with live anti-malware products should remove the DaVinci Ransomware without further help automatically, but the data loss from infections could only be reversible with secured backups.

Not Quite a Genius after Your Files

The plight of whether or not one should risk a ransom in return for getting a hostage safe and sound has a natural counterbalance: the fact that the criminals who do the 'negotiating' tend to be deceptive. For threats like the DaVinci Ransomware, their campaigns bet on making money by asserting services without any evidence and, then, going back on their word. While the DaVinci Ransomware is very similar to past Trojans with data-capturing payloads, like most Ransomware-as-a-Services, it lacks the 'service' part.

The DaVinci Ransomware is a Windows program that includes various obfuscating features, such as a temporary 'hibernation' phase, that lower its detection rate against PC security products. The Trojan uses a standard encryption function for blocking files and may target media according to formats (like DOC or JPG) or location (such as the Windows Documents directory). Some sources also assert its inclusion of a data-wiping feature, although malware researchers can't define the possible attack's prerequisites or behavior, currently.

The Trojan also uses an old-fashioned 'screen-locker' style of a ransom note: a pop-up window without a border that blocks the user's desktop by maintaining focus. The message, which is English with a prominent skull logo, asks for several hundred USD in Bitcoins for giving the victim a decryption service that restores their files – with semi-unusual platforms for 'advertising' and negotiations including both Instagram and Youtube. However, an enormous difference is that the DaVinci Ransomware belies the usual traditions of a Ransomware-as-a-Service or other Trojan business and doesn't offer a legitimate decryptor after getting the payment.

The absence of the recovery service makes the DaVinci Ransomware, fundamentally, almost no different from a file-wiping Trojan, since the difference between encryption of data and deleting or corrupting it lies in the availability of a decryption routine.

Outsmarting a Renaissance Inventor

The DaVinci Ransomware's wallet has prior connections to the WannaCryptor Ransomware campaigns and a smaller threat with the name of the Wikser Ransomware. With a current balance of almost four thousand USD, it seems likely that its threat actor is a long-term 'professional' in running file-locking Trojan campaigns, albeit not providing unlocking services. Malware experts highly advise against paying in this case, particularly, and recommend non-local, secure backups for all Windows users' files of any value.

The DaVinci Ransomware terminates some Windows processes as part of maximizing its access to media and blocks the Windows user interface as part of its ransom note-displaying feature. For circumventing the latter, users can restart their PCs in Safe Mode or boot from a removable drive, such as any appropriately-formatted USB stick. Infection methods for the DaVinci Ransomware's campaign remain subjects of analysis but are likely for including e-mail attachment-based scams, torrents, or prominent browser threats like the RIG Exploit Kit.

Users can place themselves at less risk from attacks by engaging in traditional security precautions like using strong passwords, turning off JavaScript, and installing patches. The anti-malware products of most trustworthy companies should delete the DaVinci Ransomware before it attacks and, also, may disinfect PCs safely.

With one payment to its wallet this year, the DaVinci Ransomware is just starting to collect on bad-faith promises. A word of honor from a scam artist has as little value as a permanently-encrypted file – that is, nothing.

Related Posts

Loading...