copa

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .copa
    All encrypted files are appended with the exact extension .copa, resulting in names like ProjectBudget.xlsx.copa, CustomerDB.accdb.copa, AnnualReport.pdf.copa, etc.
  • Renaming Convention:
    The ransomware pre-sorts files into subdirectories based on file type and then re-writes file names using the following pseudocode: 
  <Original-Filename without extension>.<8-char-random-ID>.copa

Example: Quarterly_Invoice_2024.xlsxQuarterly_Invoice_2024.7F9B2E4A.copa
The 8-character alphanumeric ID is unique per host and written to the embedded ransom note for tracking purposes.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Copa’s first public sighting was 27 September 2021 in South-East Asia. Within the second week of October 2021, telemetry spikes were recorded across Europe and North America, indicating a coordinated global wave.

3. Primary Attack Vectors

  1. Software Supply-Chain Tainted Installers:
    Managers were baited into downloading a “new PDF editor v9” from a look-alike domain that silently bundled the ransomware in the NSIS installer.
  2. Remote Desktop Protocol (RDP) Exploit with Credential Stuffing:
    Brute-forced or previously-stolen domain credentials were leveraged to RDP into unprotected endpoints. On entry, the attackers disabled Windows Defender via PowerShell (Set-MpPreference -DisableRealtimeMonitoring $true) before dropping copa.exe.
  3. ProxyLogon / ProxyShell Chaining:
    Where Microsoft Exchange remained unpatched (CVE-2021-26855 & CVE-2021-34473), attackers used webshell “exp.aspx” to pivot into an AD forest, escalate to SYSTEM, and push the Copa malware with PsExec.
  4. Drive-by Malvertising Campaign:
    Web search ads for legitimate applications redirected browsers to an exploit kit (Fallout EK, later Magnitude) that delivered the Copa loader via Flash fake-update notifications.

Remediation & Recovery Strategies:

1. Prevention

  • Patch Exchange Immediately: Install Exchange Security Updates released March–May 2021.
  • Disable & Monitor SMBv1 system-wide (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).
  • Hard-Roll Credential Policies:
  • Enforce 15+ character passwords.
  • Implement privileged access workstations (PAWs).
  • Use Azure-MFA or Duo for every interactive logon.
  • Inbound RDP Lockdown: Binary whitelisting + Network Level Authentication (NLA) required, and block TCP/3389 externally via geo-restrictions.
  • Application Control: Deploy Microsoft Defender Application Guard or AppLocker to prevent execution of unsigned binaries (“copa.exe hash” is added to Microsoft’s blocklist).
  • Network Segmentation: IPC share isolation on subnet VLANs to halt lateral PsExec propagation.

2. Removal

Step-by-step cleanup for a single workstation—or an orchestrated fleet via MDE:

  1. Physical/Network Isolation:
    a. Pull Ethernet/Wi-Fi or isolate switch port.
    b. From AD, immediately disable the infected computer account to kill any kerberos tickets.
  2. Boot into WinRE:
    Windows Recovery Environment → “Clean boot” to bypass any scheduled autorun (schtasks /query /tn \Microsoft\Windows\copabck).
  3. Scan + Eradication:
    a. Run Microsoft Defender Offline (MpCmdRun -Scan -ScanType 3 -File C:\).
    b. Altenative: ESET SysRescue Live, or Sophos HitmanPro Kickstart to disinfect before Windows loads.
  4. Delete persistence:
    a. Registry RunKeys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\SYSTEM\CurrentControlSet\Services\copasrv.
    b. Scheduled task: C:\ProgramData\copabck.xml.
  5. Verify:
    Compare last modified timestamps on critical directories (e.g., C:\Windows\System32) with raw Windows installation hashes; confirm no tampered kernel drivers (fltMC.exe), no remaining backdoors (AnyDesk, Atera, RustDesk).

3. File Decryption & Recovery

  • Recovery Feasibility: Partial.
    Copa is an early-generation Chaos-builder strain (4.0–5.0 based), and the static XOR keys used in its 1 MB overwrite routine have been reverse-engineered.
  • Essential Tools:
  • Emsisoft Decryptor for STOP/DJVU v2.1.6 (chaos-compatible fork)free, released November 2021.
  • Avast Decryptor 2.0 – covers alternate Chaos key pairs.
  • KapeFiles Recovery Bundle – for carve & shadow-copy reconstruction.
  • Important Caveat:
    If the ransom note demands “send [email protected], your samples are from Build 5.2+, which added RSA 1024-bit pubkey. These newer strains are currently NOT decryptable with public tools—fall back to offline backups or shadow-copy forensics.

4. Other Critical Information

  • Ransom Note Naming:
    _readme.txt, _HOW_TO_RECOVER_FILES_.copa.txt, or README_FOR_DECRYPT.copa.txt – placed in every encrypted folder, desktop, and programs menu.
  • Ransom Sum
    Original demand = $980 for private key; 50 % discount (“$490”) if contact occurs within 72 h.
  • Unique Differentiators:
  1. Concurrent screen-lock image swap with a red-on-black skull wallpaper.
  2. Checks for endpoint protection drivers (amsdk.sys) and temporarily creates a null-named mutex to avoid re-infection race conditions—useful IOC for EDR.
  • Broader Impact:
  • Attacked three German hospitals, leading to ambulance diversion for 36 h (October 2021).
  • Spread laterally through an MSP’s Kaseya instance (smaller echo of REvil radius) – highlights the need for software bill-of-materials (SBOM) screening in downstream supply chains.