Today, IT security researchers has received reports of yet another crypto malware called ‘Davda ransomware‘. This ransomware spreads via spam emails and malware files and appends the .davda file extension to encrypted files. This blog post will provide you with all the things you need to know about crypto malware, how to remove Davda file virus from your system and how to restore (decrypt) encrypted documents, photos and music for free.
Files encrypted by .Davda ransomware
Davda crypto malware is a malware which limits you from accessing your files. It forces you to pay the ransom through certain online payment methods in order to get your documents, photos and music back. The files that will be encrypted include the following file extensions:
.wps, .ybk, .odm, .wri, .zabw, .t13, .dbf, .m4a, .p7c, .xf, .erf, .wpg, .wbz, .wire, .sum, .sie, .sidd, .pfx, .xlgc, .bsa, .wmo, .mp4, .odp, .wp, .zip, .iwi, .rb, .docx, .x3f, .desc, .z, .d3dbsp, .xlsb, .sql, .jpg, .yal, .sid, .webdoc, .mcmeta, .wbd, .webp, .mov, .zip, .iwd, .txt, .m2, .sidn, .eps, .snx, .xyw, .fsh, .xlk, .xll, .1st, .rwl, .dwg, .svg, .vfs0, .tax, .wps, .wpt, .srw, .ibank, .wgz, .ntl, .pef, .y, .jpeg, .wp6, .z3d, .3ds, .bar, .jpe, .wp4, .nrw, .re4, .layout, .fpk, .ods, .rar, .rim, .der, .cdr, .p12, .qic, .wsc, .mddata, .pem, .xmind, .wmv, .xar, .xdl, .ztmp, .wp5, .xlsx, .dcr, .sis, .cer, .x, .avi, .kdc, .ncf, .bkf, .yml, .bik, .docm, .rtf, .xls, .mdb, .bay, .ltx, .wma, .rw2, .wbmp, .3fr, .big, .mpqge, .ptx, .xdb, .wp7, .wpa, .wbc, .pdf, .itdb, .xy3, .ai, .flv, .xml, .lrf, .gdb, .x3d, .zw, .wbk, .hkdb, .pdd, .hkx, .png, .asset, .wpd, .itl, .xmmap, .wpd, .ysp, .wdb, .odb, .w3x, .zi, .vdf, .sav, .wdp, .arw, .odt, .das, .crt, .upk, .vpp_pc, .pptm, .wmv, .wpe, .7z, .wotreplay, .m3u, .wn, .tor, .syncdb, .odc, .dazip, .hvpl, .kdb, .arch00, wallet, .cas, .vpk, .mlx, .zdb, .db0, .zdc, .xlsx, .pkpass, .wav, .wsh, .vcf, .wpl, .wpb, .2bp, .ppt, .zif, .xls, .xwp, .lvl, .rgss3a, .r3d, .xld, .x3f, .lbf, .mrwref, .pst, .bkp, .map, .itm, .raf, .wm, .mdf, .fos, .dba, .doc, .ff, .accdb, .xyp, .xlsm, .menu, .p7b, .csv, .qdf, .orf, .wot, .xbdoc, .wbm, .apk, .js, .psk, .hplg, .xpm, .t12, .dmp, .xxx, .kf, .mef, .ws, .crw, .bc6, .dxg, .xbplate, .css, .1, .psd, .vtf, .cfr, .py, .wb2, .pptx, .raw, .wcf, .rofl, .blob, .sb, .bc7, .mdbackup, .wma, .forge, .srf, .slm, .wpw, .indd, .pak, .esm, .xlsm, .icxs, .cr2, .sr2, .epk, .3dm, .wmf, .wmd
Once the encryption procedure is finished, it will drop a ransom instructions named ‘_readme.txt’ offering decrypt all users files if a payment is made. An example of the ransom message is:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-7AKxZTQTdy Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | Davda |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Encrypted files extension | .davda |
| Ransom note | _readme.txt |
| Contact | stoneland@firemail.cc, @datarestore (telegram) |
| Ransom amount | $490, $980 in Bitcoins |
| Symptoms |
|
| Removal | To remove Davda ransomware use the removal guide |
| Decryption | To decrypt Davda ransomware use the steps |
Follow our tutorial below to detect and remove Davda crypto virus from your computer as well as recover (decrypt) encrypted personal files for free.
Quick links
- How to remove Davda ransomware
- How to decrypt .davda files
- Use STOPDecrypter to decrypt .davda files
- How to restore .davda files
- How to protect your computer from Davda ransomware?
- Finish words
How to remove Davda ransomware
In many cases it is not possible to remove the Davda crypto malware manually. For that reason, our team designed several removal ways which we’ve combined in a detailed instructions below. Therefore, if you have the Davda ransomware on your computer and are currently trying to have it deleted then feel free to follow the step-by-step guidance below in order to resolve your problem. Read it once, after doing so, please print this page as you may need to close your web-browser or reboot your machine.
Remove Davda ransomware with Zemana Anti-malware
Zemana Anti-malware is a tool that can get rid of viruses, adware, potentially unwanted software, trojans, worms and other malware from your PC system easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of PC system resources.
- Zemana Anti Malware (ZAM) can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
Zemana AntiMalware
164986 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web-browser will display the “Save as” prompt. Please save it onto your Windows desktop.
- When the download is done, please close all programs and open windows on your system. Next, start a file called Zemana.AntiMalware.Setup.
- This will launch the “Setup wizard” of Zemana AntiMalware onto your machine. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Anti Malware (ZAM) will launch and show the main window.
- Further, press the “Scan” button . Zemana Anti-Malware (ZAM) application will scan through the whole computer for the Davda crypto virus, other malicious software, worms and trojans. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your PC system and the speed of your system. When a malicious software, adware software or potentially unwanted applications are found, the number of the security threats will change accordingly.
- When finished, you may check all items detected on your personal computer.
- You may delete threats (move to Quarantine) by simply click the “Next” button. The tool will remove Davda ransomware, other malicious software, worms and trojans and add threats to the Quarantine. Once that process is finished, you may be prompted to restart the PC.
- Close the Zemana Free and continue with the next step.
Use MalwareBytes Free to remove .Davda file virus
We recommend using the MalwareBytes Anti-Malware. You can download and install MalwareBytes Anti-Malware to search for and remove Davda from your system. When installed and updated, this free malicious software remover automatically searches for and removes all threats present on the computer.
Download MalwareBytes Free by clicking on the following link. Save it on your Windows desktop or in any other place.
327224 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the download is complete, close all windows on your personal computer. Further, launch the file called mb3-setup. If the “User Account Control” dialog box pops up as displayed in the following example, click the “Yes” button.
It will show the “Setup wizard” that will allow you install MalwareBytes Free on the PC. Follow the prompts and do not make any changes to default settings.
Once install is complete successfully, press Finish button. Then MalwareBytes will automatically run and you can see its main window as shown on the screen below.
Next, press the “Scan Now” button to start checking your computer for the Davda ransomware, other kinds of potential threats such as malware and trojans. This process can take quite a while, so please be patient.
When the system scan is finished, MalwareBytes Anti-Malware (MBAM) will show a list of all threats found by the scan. Next, you need to click “Quarantine Selected” button.
The MalwareBytes will delete Davda ransomware virus, other malicious software, worms and trojans. When disinfection is done, you can be prompted to restart your personal computer. We suggest you look at the following video, which completely explains the process of using the MalwareBytes Free to get rid of hijackers, adware software and other malicious software.
Remove Davda ransomware with KVRT
If MalwareBytes anti-malware or Zemana anti malware cannot remove this ransomware virus, then we suggests to use the KVRT. KVRT is a free removal tool for ransomwares, adware, potentially unwanted programs and toolbars.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop by clicking on the link below.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the downloading process is complete, double-click on the KVRT icon. Once initialization process is finished, you will see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to perform a system scan for the Davda ransomware and other trojans and harmful programs. Depending on your PC, the scan can take anywhere from a few minutes to close to an hour. During the scan KVRT will scan for threats present on your computer.
When Kaspersky virus removal tool completes the scan, KVRT will show a scan report as on the image below.
In order to delete all threats, simply click on Continue to begin a cleaning process.
How to decrypt .davda files
The Davda crypto virus uses a strong encryption method. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the makers of the Davda ransomware entire amount requested – the only way to try to get the decryption key and decrypt all your files.
If your documents, photos and music have been locked by the Davda ransomware, We advises: do not to pay the ransom. If this malicious software make money for its makers, then your payment will only increase attacks against you. Of course, decryption without the private key is not feasible, but that does not mean that the Davda ransomware must seriously disrupt your live.
Files encrypted by .Davda ransomware
With some variants of the Davda ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .davda files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.davda).
Please check the twitter post for more info.
How to restore .davda files
In some cases, you can recover files encrypted by Davda crypto malware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.
Restore .davda encrypted files using Shadow Explorer
An alternative is to recover .davda documents, photos and music from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing photos, documents and music that were locked by Davda ransomware. The tutorial below will give you all the details.
Download ShadowExplorer on your MS Windows Desktop by clicking on the following link.
439625 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the image below.
Launch the ShadowExplorer utility and then choose the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the Davda ransomware as shown below.
Now navigate to the file or folder that you wish to restore. When ready right-click on it and click ‘Export’ button like below.
Use PhotoRec to restore .davda files
Before a file is encrypted, the Davda crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file restore apps like PhotoRec.
Download PhotoRec on your PC from the following link.
After the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen as displayed on the image below.
Select a drive to recover as shown in the following example.
You will see a list of available partitions. Select a partition that holds encrypted files as shown on the screen below.
Press File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where restored files should be written, then click Search.
Count of restored files is updated in real time. All restored personal files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed in the following example.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from Davda ransomware?
Most antivirus apps already have built-in protection system against the crypto malware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your system from Davda ransomware virus
All-in-all, HitmanPro.Alert is a fantastic tool to protect your PC system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows OS from Windows XP to Windows 10.
HitmanPro Alert can be downloaded from the following link. Save it to your Desktop.
After the download is complete, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the utility is launched, you will be displayed a window where you can choose a level of protection, as shown on the screen below.
Now press the Install button to activate the protection.
Finish words
Once you’ve done the steps above, your PC system should be clean from Davda ransomware and other malicious software. Your PC will no longer encrypt your photos, documents and music. Unfortunately, if the steps does not help you, then you have caught a new variant of crypto virus, and then the best way – ask for help here.
