By GoldSparrow in Malware

Threat Scorecard

Threat Level: 90 % (High)
Infected Computers: 27
First Seen: February 13, 2013
Last Seen: May 13, 2023
OS(es) Affected: Windows

DaVinci is a highly effective surveillance malware threat that was, at first, created to be utilized by law enforcement officials to carry out surveillance on alleged criminal targets. DaVinci has been used to target political activists in the Middle East through a previously unknown exploit in Adobe Flash player. In fact, the proliferation of DaVinci led to an emergency Flash Player update released by Adobe in order to stop exploits taking advantage of two zero-day vulnerabilities in the latest version of Adobe Flash Player. The most important of these two vulnerabilities has been identified as CVE-2013-0633. These exploits were detected after monitoring an Italian surveillance company known as 'HackingTeam.'

HackingTeam is an Italian company with a worldwide presence. They develop RCS (Remote Control System) which is used to carry out computer surveillance activities. Their main customers are law enforcement agencies and government intelligence. However, PC security researchers have been monitoring RCS (which is commonly known as DaVinci) since Summer of 2012. This is because DaVinci, while having legitimate uses, has powerful applications that can make DaVinci a dangerous tool in the hand of malware developers.

Features of DaVinci

DaVinci can be used to carry out several tasks, all of which are particularly easy to use and implement. Some of DaVinci's features include the following:

  • DaVinci can record instant messaging conversations using various different instant messaging protocols. These include Yahoo Messenger, Skype, MSN Messenger and Google Talk.
  • DaVinci can also be used to record audio conversations using VoIP programs like Skype.
  • ESG security researchers have observed that DaVinci can steal the victim's web browsing history and monitor all activities on the victim's web browser.
  • Using DaVinci, criminals can turn on the infected computer's microphone and camera, allowing them to record conversations, take video, and pictures of their targets.
  • DaVinci also contains components commonly found in dangerous spy Trojans that allow DaVinci to steal passwords and important information stored in the infected computer's web browser.

The DaVinci Ransomware is similar to other ransomware threats in that it encrypts files on your computer hard drive and holds the data to ransom. While the ransom note, which is a screen-blocking pop-up, claims that the trojan has a recovering service, we found this claim to be untrue. The ransomware is barely more than a data-wiping trojan. Be sure to remove the virus if your antivirus programs find it. While removing the virus isn’t enough to restore lost data, which can only be restored through a backup, it will help to prevent further damage.

The note reads:

Hello I’m DaVinci I have encrypted all your important files!
if you want to recover them follow the instructions
Subscribe me on youtube (DaVinci)
Follow me on instagram (dvsvmvk_x)
Send $300 in bitcoin to this adress: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
and contact us: Cobra_Locker2.0@protonmail.com

What Does DaVinci Ransomware Do?

DaVinci ransomware is a virus that targets the Windows operating system. It has several components, including features that help it avoid detection, such as a “hibernation” phase, where it “sleeps” in order to avoid detection by security programs. The trojan virus blocks files using standard encryption methods, targeting particular file-formats, including documents, images, videos, and music files. It also targets specific file locations, including the Documents and Pictures folders. Some versions of the malware claim to include a data-wiping feature, security researchers are yet to confirm or deny this feature exists.

The DaVinci ransomware uses a more old-fashioned screen-locker style of ransom note rather than the text file used by modern programs. The virus generates a pop-up window that prevents users from doing anything on their computer.

The message is written in English and asks for victims to send several hundred dollars to the attacker in the form of bitcoin. The ransom “pays” for a decryption service to restore the locked data. One strange thing about the ransomware is it tells victims to contact the attacker through unconventional channels, including YouTube and Instagram.

Should Victims Pay the Ransom?

There is one thing that should always be considered when someone has to pay a ransom, whether it be for a person or data; the potential that the criminal will go back on their word and not release the hostage. There is no question that victims will not get the decryptor they pay for with this ransomware.

The people behind DaVinci make their money by betting that people will make the payment without a second thought. Once the payment has gone through, the attacker moves on to their next victim without offering any assistance or restoring locked data. It’s almost ironic to refer to this kind of virus as “ransomware-as-a-service,” given that there is no service involved at all.

That there is no way for the data to be decrypted means that DaVinci ransomware is no different from your average data-wiping trojan. The availability of decryption routines makes the difference between encrypted data and corrupted or deleted data. Encrypted data that can’t be saved is just as useless.

Outsmarting DaVinci

The bitcoin address associated with DaVinci has been connected to smaller WannaCryptor campaigns. With the account currently holding around $4,000, the holder of the account has likely been running these kinds of campaigns for a long time now, all without ever offering unlocking services. Experts recommend against paying the ransom in all cases of ransomware, but especially with one like this where there is absolutely no decryption available.

With the address only receiving one payment this year, it’s unlikely anyone is falling for their lies anymore. There is little value in the word of a scammer.

DaVinci ransomware stops some Windows processes to help hide what it is doing, and it can prevent the Windows user interface from working properly, as evidenced by how it displays a ransom note. Users can get around the screen locker by restarting their computer in Safe Mode or by using a bootable USB/DVD.

How to Protect Against Ransomware Attacks

One of the most important things you can do to protect against malicious programs is not to download and install software through unofficial websites and installers, third-party downloaders, and peer-to-peer networks such as torrent sites. You should always use official channels to get your software and avoid using pirated software. Illegal software is packed with “cracks” that activate the software. More often than not, these tools install malware instead of, or along with, activating the software. Programs and operating systems should be updated whenever possible, but make sure these updates come from official channels.

Attacks Involving DaVinci

There have been attacks involving DaVinci in more than fifty separate occasions around the world. The most recent attacks involving DaVinci used the Flash vulnerability mentioned before to target political activists in a Middle Eastern country. It is still unclear whether HackingTeam sold the zero-day exploit to the parties carrying out these attacks or if they acquired the zero-day exploit that allowed them to install DaVinci from a different source.

Related Posts


Most Viewed