DavesSmith Ransomware
At the end of October 2019, malware experts spotted yet another ransomware threat pestering users online. It is being dubbed the DaveSmith Ransomware. Data-locking Trojans tend to operate in a very similar manner to one another. They would usually infect a host, scan their files, encrypt the targeted data, and then demand a fee for a decryption key. The DaveSmith Ransomware is no different.
Propagation and Encryption
It has not yet been confirmed what propagation method are the authors of the DaveSmith Ransomware utilizing to spread their threatening creation. Ransomware threats are propagated via mass spam email campaigns most commonly. The emails would contain a message riddled with social engineering tricks and a corrupted attachment, which, once opened, will trigger the launching of the threat. Another popular infection vector for spreading data-encrypting Trojans is fake application updates. Regardless of how the DaveSmith Ransomware ends up on a host, it will not lose any time and will trigger a swift scan of the data present on the system immediately. This helps the DaveSmith Ransomware locate all files, which are of interest, meaning the data, which this file-locking Trojan will target for encryption. Next, the DaveSmith Ransomware will begin locking all the marked files. Usually, this would consist of all the data, which is located on one’s computer. When the DaveSmith Ransomware encrypts a file, it also appends a new extension to its filename. The extension, which the DaveSmith Ransomware adds to files is ‘.[daves.smith@aol.com].’ A file that was named ‘full-house.jpeg’ originally, will be renamed to ‘full-house.jpeg.[daves.smith@aol.com] when the encryption process of the DaveSmith Ransomware is completed.
The Ransom Note
In the next step of the attack, the DaveSmith Ransomware will drop a ransom note containing the message of the attackers. The note’s name is ‘RECOVERY FILE.txt,’ and it reads:
Hello!
If you see this message - this means your files are now encrypted and are in a non-working state!
Now only we can help you recover.
If you are ready to restore the work - send us an email to the address daves.smith@aol.com
In the letter, specify your personal identifier, which you will see below.
In the reply letter we will inform you the cost of decrypting your files.
Before payment you can send us 1 files for test decryption.
We will decrypt the files you requested and send you back.
This ensures that we own the key to recover your data.
The total file size should be no more than 2 MB,
the files should not contain valuable information (databases, backups, large Excel spreadsheets ...).
Email to contact us - daves.smith@aol.com
YOUR PERSONAL ID :
In the note, the attackers explain to the users that their files have been locked, and the victim will be unable to recover them unless they cooperate with the authors of the DaveSmith Ransomware. These people demand to be contacted via email at ‘daves.smith@aol.com’ and claim that if the user gets in touch with them, they will reveal the ransom fee. To prove to the victim that they are capable of decrypting the locked data, the attackers offer them to send one file, which will be unlocked free of charge. There are rules, however, as the file cannot contain any valuable information or be any larger than 2MB size-wise. The attackers also have included an ID that is uniquely generated for each victim.
Stay away from the authors of the DaveSmith Ransomware. People with such questionable morals rarely keep their promises, and even if you pay up, it is likely that the authors of this ransomware threat will leave you empty-handed. Instead, you should look into obtaining a genuine anti-virus software suite that will not only aid you in removing the DaveSmith Ransomware from your computer but also make sure you do not end up in such a complicated situation again.
