Davda Virus - How to remove

Encryption is a legitimate and powerful way to hide information from those who aren’t meant to see it. But when a virus like Davda uses encryption to make our own files inaccessible to us, that’s a big problem. Business companies all over the world are losing millions to online extortionists, but Davda is a cryptovirus that targets individual people: our family photos, personal projects, and school assignments are held hostage while the criminals who created Davda demand hundreds of dollars.

This is obviously illegal, and the developers of Davda have actually been terrorizing people for months now, ever since the development of DJVU, but catching international online criminals is difficult, especially when the targets are just normal people with no extraordinary money or power behind them.

So, if you were caught by Davda, it’s going to be up to you (with some help from us and various cybersecurity specialists) to get your files back, as well as to know how to avoid infections in the future.

Can the files be restored?

If you have backups, that is, copies of your files that we stored separately from your infected computer, then those files are trivial to restore: just copy them back to your computer. Even if you didn’t deliberately make a backup, some of the files could be saved in the cloud.

Even if the only existing copies of your files were caught by Davda, the situation is not entirely hopeless. There is a free decryptor for some of the viruses of the STOP/DJVU family. The developer is a volunteer known as @demonslay335, and his program is called STOPDecrypter. This program is capable of decrypting some if the files — specifically, the files encrypted using the offline key, which is the same for every victim of that ransomware (in this case, Davda), and is used when the virus fails to contact the extortionists’ server and get a unique key. If @demonsplay335 ever finds an offline key for that strain of ransomware, he can update STOPDecrypter to work on those files.

Unfortunately, even if STOPDecrypter is updated to support Davda, it won’t work for most victims of the virus. Since there is no way to guess the decryption keys with our current technology, other ways to restore files will need to be found: a few a described in the guide below this article.

How Davda infects computers

The Davda virus spreads using some different techniques, being aware of which is helpful in avoiding malware:

  • Infected links and files in e-mails. Phishing e-mails that include impersonal, urgent messages that ask you to open a file.
  • Files available in peer-to-peer filesharing networks. Low-reputation links to files with deceptive descriptions.
  • Free programs online. Using a known, trusted name but altered and distributed by malicious actors.

Davda usually needs to be run by the user, and that’s done by tricking them: if you think that the file you’re opening is an urgent bill, or some trusted software that you downloaded, you might not hesitate to run the file. But it could be the malicious Davda program, disguised by its distributors.

picture.jpg.davda

Then Davda encrypts files: pictures, documents, PDFs, databases, spreadsheets, films, and others. It even deletes the backups that Windows creates if they’re stored on the infected device. This all happens in the background, without you even noticing (though if you do notice it, it might be safest to completely shut down your computer and back up your files).

After the encryption, Davda creates a ransom note _readme.txt.

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.

davda virus ransom note

The note is the same as Drume, Redmat, the other STOP/DJVU variants. Only the contacts are different: [email protected], [email protected], @datarestore (Telegram). The ransom is the same as always, $980 or $490 — not a sum that people would be willing to risk throwing away, considering the low rates of file decryption after paying.

How to remove Davda

Davda (and whatever malware it was distributed with) can be removed using Spyhunter, or another capable antivirus program. If your usual antivirus doesn’t work for this, Davda might have broken it. If you can’t access some websites, that might be Davda’s fault, too — check this guide.

After Davda is gone from your computer, below is a guide that might be able to help you restore some of your files.


Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to recover Davda Virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Davda has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Davda Virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Davda . You can check other tools here.  

Step 3. Restore Davda Virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Davda tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Davda Virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *