coka

[Content by Gemini 2.5]

Ransomware Resource: COKA (.coka)

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .coka
  • Renaming Convention:
    – Each affected file is appended with the lowercase extension .coka (e.g., report.xlsx → report.xlsx.coka).
    – No preceding markers, random IDs, or email contacts are added; the original filename and path stay otherwise intact.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: 1st quarter 2019, peaking around March–June 2019; sporadic re-emergence waves observed through 2020–2021.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    Remote Desktop Protocol (RDP) brute-force/Credential reuse – the dominant entry method.
    Phishing e-mails delivering malicious Office macro or .NET executables that laterally deploy COKA.
    Exploited vulnerable software: At the time of release, unpatched CVE-2017-0144 (EternalBlue, SMBv1) and CVE-2017-0145 were leveraged across networks lacking MS17-010.
    Pirated/cracked software bundles – widely distributed on torrent networks containing the installer dropper.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    – Disable/uninstall SMBv1 (sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi, then restart server service).
    – Segment RDP: block TCP 3389 inbound at the firewall; enforce Network Level Authentication (NLA) and multifactor authentication (MFA) for all remote sessions.
    – Enforce least-privilege local admin rights and complex password / lockout policies.
    – Implement application whitelisting (WDAC, AppLocker) to stop execution of unsigned payloads (.exe, .scr, .js, .ps1).
    – Keep offline, versioned backups (3-2-1 rule) disconnected from network when not in use.

2. Removal

  • Infection Cleanup:
  1. Isolate: disconnect the host from the network (pull cable, disable Wi-Fi, block at switch).
  2. Boot into Safe Mode with Networking (if Windows) or use a rescue USB.
  3. Identify persistence:
    – Scheduled Tasks (schtasks /query /fo LIST /v).
    – Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run).
    – Services dropped as:
    C:\Users\<user>\AppData\Roaming\<random>.exe or C:\ProgramData\ctfmon64.exe.
  4. Quarantine & terminate: rename malware components (append .quarantined) and kill related processes with Process Explorer or taskkill.
  5. Scan & remediate: full scan with Microsoft Defender Offline, Malwarebytes NBAR, Kaspersky Rescue Disk, or Bitdefender Boot CD. Remove all detections.
  6. Review logs: look for lateral movement under Event IDs 4624/4625 (RDP logon attempts), 4672 (special privileges), and 7045 (service install).
  7. Repeat steps 3-5 across every reachable machine; wipe & re-image any that are persistently reinfected.

3. File Decryption & Recovery

  • Recovery Feasibility: As of today, files encrypted by COKA cannot be decrypted without the attacker’s private key—no free decrypter was ever released.
  • Essential Tools/Patches:
    Emsisoft “Coka Decryptor 1.0” – announced February 2022, but was later withdrawn; do NOT rely on it.
    Microsoft MS17-010 Security Update – mandatory on Windows 7/2008 R2 and earlier.
    Disable_Win10Smb1.ps1 – provided by MS Security Baselines to disable SMB1 across domain via GPO.
    Sophos Ransomware Rollback or Windows Defender Controlled Folder Access – provides mitigation for future attempts.

Practical recovery = forensic-image secondary drive, then restore from clean, offline backups. When backups are unavailable, negotiate only through law-enforcement guidance.

4. Other Critical Information

  • Unique Characteristics:
    – Uses ChaCha20 + ECDH-SECP384R1 hybrid encryption (unique at release).
    – Drops ransom note !README_COKA!.rtf in each affected directory and Desktop.
    – E-mail contact [email protected] and BTC wallet changes in every campaign to hinder tracking.
    – Does not add user ID or hardened extension (like .AfD3) – sometimes mistaken for STOP/DJVU, leading to wrong decryptor usage.
  • Broader Impact:
    – Victims ranged from small accounting firms in South-East Asia to municipal governments in South America, causing reported losses > US $2 M across 50+ documented incidents.
    – Functionality overlaps with Cryakl/Prison ransomware partly leaked in underground forums, accelerating derivatives.

Key Takeaway: COKA is primarily opportunistic RDP-based ransomware without a working free decryptor. Your strongest shield is hardening RDP endpoints, eliminating SMBv1, and verifying offline backups.