Ransomware Report

You can check the latest ransomware information.

title
DVN Ransomware encrypts the extension to .devinn and demands Bitcoin.
Registration date
2023-05-24
views
8861

[DVN ransomware]

[Virus/Malware Activity Report: DVN Ransomware]

Due to a breach believed to be in the form of DVN ransomware,
we would like to confirm the situation and provide a warning as follows.

DVN ransomware

The ransomware is called DVN and appears to be changing all files with the existing name and extension.devinn.

How it works

file version


[Figure 1 File version]


[Figure 2 File properties]

behavioral process

  • Inside basic information

    Through the information in the internal variables, it can be inferred that it operates in association with the name svchost.exe or that any image file can be saved as a Base64 value.


    [Figure 3 Internal basic information]

  • Change ransomware execution location and name

    Ransomware that has been executed once copies itself to the AppDataRoaming location and re-executes it with administrator privileges under the name svchost.exe.


    [Figure 4 Ransomware execution location]


    [Figure 5 Name change]

  • Register startup program

    Create a link file with the location of the executed ransomware and place it in the startup program.


    [Figure 6 Startup program registration]

  • Select attack target

    Basically, it attacks drivers other than the C drive first, and then attacks user libraries and shared folders.


    [Figure 7 Selection of attack target]


    [Figure 8 Selection of attack target 2]

  • encryption method

    What is unique is that various encryption functions such as bytes/String/AES/RSA/Base64 are used depending on the file size.


    [Figure 9 Encryption method]


    [Figure 10 Specific extension where encryption is performed]


    [Figure 11 Contents of infection txt stored internally]

  • Command to disable backup means

    In general, it includes deleting shadow copies frequently used by ransomware and disabling functions related to Windows recovery mode, and there is also a command to erase the backup catalog used in Windows Server.


    [Figure 12 Command to disable backup means]

Infection results

The guide file unlock_here.txt is created in each path, and when encryption is performed, the files are changed to <existing name.existing extension.devinn> and the desktop is changed upon completion.


[Figure 13 Infection result 1]


[Figure 14 Infection result 2]


[Figure 15 Infection result 3]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.


[Figure 16 Block message]


[Figure 17 Block message]

Watch DVN blocking video

Previous post
Rec_rans ransomware
next post
AXLocker Ransomware Steals Discord Credentials
List
WhiteDefender Term of Use|Privacy Policy
Everyzone White Defender Co., Ltd. | CEO: Seunggyun Hong|Business registration number: 220-81-67981
Copyright ⓒEveryzone , Inc. All Rights Reserved.|