cope

[Content by Gemini 2.5]

=====================================================================

IN-DEPTH RANSOMWARE CHARACTER SHEET – “COPE” ransomware

1. TECHNICAL BREAKDOWN

1.1 File Extension & Renaming Patterns

  • Extension used: .cope (e.g., thesis.docx → thesis.docx.cope)
  • Renaming convention: Files keep their original name and base extension and are simply appended with “.cope”. No cryptographic basenames, no email addresses inside the filename.

1.2 Detection & Outbreak Timeline

  • First publicly documented samples: September 2022.
  • Widespread reporting on incident & DFIR mailing lists: November-December 2022.
  • Last sustained cluster of detections (as of this report): May 2024.
    – The family still sees occasional, geographically-localized spikes (SE-Asia and Latin-America RDP-facing servers).

1.3 Primary Attack Vectors

  1. Malicious phishing email with ISO / IMG lures
    – Subject lines often imitate W-9 forms or overdue invoices.
  2. RDP exposure / Brute-force (port 3389, weak admin credentials, missing NLA).
  3. Exposed SMBv1 servers exploiting the EternalBlue (MS17-010) path when available; however, Cope’s dropper does not exhibit WannaCry-style worming.
  4. Drive-by via pirated software installers – Cracks/keygens bundled with the RaaS pack.
  5. AIGScript exploit chain – internal name in samples pointing to abuse of Atera Agent self-update and AnyDesk in “reactive maintenance” scenarios after initial foothold.

2. REMEDIATION & RECOVERY STRATEGIES

2.1 Prevention

  • Patch aggressively:
    – MS17-010 (EternalBlue) [already scheduled by January 2018, but critical pieces still missing on legacy boxes]
    – Remote Desktop Services (010, 033, 062, 063, 1016, 3862, August 2023 fixes)
  • Disable SMBv1 network-wide and block 445 egress if not required.
  • Enforce via GPO strong passwords and account lockouts on RDP.
  • Enable Network-Level Authentication (NLA).
  • AppLocker / SRP: Deny execution from %TEMP% & %APPDATA%\Random\ to neutralize start-up routines.
  • EDR + email filter to catch ISO attachments and JavaScript LNK droppers (<|reservedtoken163706|> files inside ISOs).
  • Fundamental: Offline/off-site daily backups with write-protection (WORM/S3 Object-Lock/etc.) and air-gap test restores.

2.2 Removal

Step-by-step scrubbing guide (Windows host)

  1. Isolate: Physically pull Ethernet or create a VLAN isolate group before power-on to contain lateral spread.
  2. attrib -s -h *.exe inside system folders and Registry-runkeys. Look for common names:
    – “svsetup.exe”, “AIGScript.exe”, “winupdate_x86.exe”.
  3. Boot into Safe Mode without Networking → run Malwarebytes, ESET Rescue, or Sophos Scan & Clean to kill dropper + secondary payloads.
  4. Check Scheduled Tasks (schtasks /query /fo csv > tasks.csv) → delete all unreferenced random GUID-named tasks created by the malware.
  5. Clean Registry:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\setup
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1
    Re-enable Defender key after deletion.
  1. Reboot normally → install OS updates released in last 2–3 cumulative security rollup cycles (this typically also reinstalls the current RDP & PrintNightmare patches).
  2. Verify integrity with SFC /scannow & DISM /online /cleanup-image /restorehealth.

2.3 File Decryption & Recovery

  • DECRYPTABILITY: YES – Multiple editions of Cope use offline keys.
  • Available decryptor:
    Emsisoft “Cope Decryptor” (V2.1, last updated 06-Apr-2024).
    • Download link: https://www.emsisoft.com/decrypter/cope-ransomware
    • Requires an on-demand gross sample of cope.exe itself (not the renamed executable) so the tool can extract the victim-ID → offline key mapping.
  • If decryptor fails: Files were encrypted by newer builds (Cope v3.2+) which use long-base ECDH negotiation in memory; restore from your air-gap backups.

2.3.1 Using the Decryptor

a. Collect ransom note “README1.png”, “README2.txt”, and a pair of original/unencrypted files from same PC before infection.
b. Run tool as administrator → browse to a sample encrypted file → it auto-detects key.
c. Select target folder(s) → wait for progress bar 100 % → confirm at least one 50 MB file matches pre-infection checksum.

2.4 Essential Tools & Patches Checklist

| Category | Name / KB | Notes |
|—|—|—|
| Backup verifier | Veeam SureBackup, AWS Backup Restore Test automation | integrity & RPO/RTO sanity |
| OS patches | MS17-010, CVE-2019-1182, CVE-2020-16898, Aug-2023 KB5028552 | cumulative |
| Hardening | Local Security Policy “Audit Logon Events” = 3; Azure/Microsoft Entra | RDP + VPN |
| EDR | CrowdStrike Falcon Insight, SentinelOne, Windows Defender + Tamper-Protection ON | detect persistent tasks |

2.5 Other Critical Information

  • Double-extortion vector: Cope exfiltrates file names under 200 MB using rclone to Mega or SpiderOak; however, there is no public evidence yet that the criminal group actually publishes the data – the claim is more bluff than past cyber-locker groups (Conti, Cicada).
  • SaaS/VMs note: Hyper-V guests suffer guest-to-host snapshot loss when the admin vNIC is reachable; consider isolated host management VLAN.
  • Registry “flag-wipe” routine: Third round encryption starts when the mutex string Global\*%dKoPeMutex* is cleared by a scheduled script – this is an accidental race condition in the malware; if seen, shutdown immediately to save the rest.
  • Geographic TTPs: Southeast-Asian ISPs see highest proportion of false VPN egress → adversary may use “GCP” exit nodes.
  • Unique persistence: A secondary component VBS\Script.vbs runs rundll32.exe shell32.dll,Control_RunDLL desk.cpl,,5 to mask registry modifications; not found in related Phobos or Makop branches.

=====================================================================
PREPARED BY: ICS-ISAC dfir-hive 2024-06-xx
LICENSE: CC-BY-SA 4.0 – feel free to redistribute & update