cosd

[Content by Gemini 2.5]

Technical Breakdown: cosd Ransomware (STOP/Djvu Family)

1. File Extension & Renaming Patterns

  • Exact Extension in Use: .cosd (zero-padded postfix immediately appended to the original filename)

  • Renaming Convention
    Original file: ProjectProposal_Q3.docx
    After encryption: ProjectProposal_Q3.docx.cosd

  • Original extension and base filename remain intact; .cosd is simply tacked on.

  • Files with identical names in different folders remain unduplicated; only the extension changes.

  • If a double-extension attack is attempted (malicious file named file.pdf.cosd.exe) the victim still sees .exe on disk, but the malware does NOT use double extensions when encrypting victim data.

2. Detection & Outbreak Timeline

  • First Sightings: Mid-August 2021 (ESET, Kaspersky telemetry spike noted 2021-08-12).
  • Ramp-up Period: September–October 2021, with continual variant rotations every 6–8 weeks (djvu authors iterate nightly).
  • Global Reach: Over 75,000 victims reported to ID-Ransomware alone between August 2021 and June 2024.

3. Primary Attack Vectors

  • Malvertising & Rogue Ad-Networks: Simply visiting a “cracked-software” or “game-cheat” site (via Google Ads or Telegram links) causes an obfuscated NSIS installer to be delivered that embeds the cosd payload.
  • Software Keygens/Cracks: Knife-edged fake KMS tools (kmsauto-net.exe, adobe-gen.zip).
  • Exploitation Scenarios:
  • Pirated Windows ISO images silently embedded with Task-Scheduler script that runs kros.exe two hours post-boot.
  • “Teams Nitro generator” Discord bot DM delivers JavaScript dropper that downloads cosd in-memory via PowerShell.
  • Missing Patches NOT used: STOP/Djvu variants no longer rely on EternalBlue or RDP exploits; the payload requires a user to launch the initial dropper (user-assisted execution).

Remediation & Recovery Strategies

1. Prevention

  1. Prevent Executables in User-Writable Paths
    • Use Windows Defender ASR rule “Block executable files from running unless they meet a prevalence, age, or trusted list criterion” – GUID d1e49aac-8f56-4280-b9ba-993a6d77406c.
  2. Software Restriction Policy / AppLocker
    • Deny %userprofile%\Downloads\*.exe and %userprofile%\Desktop\*.exe wholesale.
  3. Broad Patch Hardening (for good hygiene)
    • Patch Microsoft Office, Adobe Acrobat/Reader, and every browser monthly.
  4. User-Education
    • 30-second micro-learning with screen capture of fake “Windows Pro Activator.exe” prompt.
  5. Backup Strategy
    • Daily incremental, offline once daily (USB or immutable cloud bucket with WORM/S3 Object Lock >24 h).

2. Removal (Step-by-Step)

  1. Isolate
  • Physically unplug NIC / disable Wi-Fi to prevent further C2 communication.
  1. Boot into Safe Mode With Networking
  • Tap F8 or Shift-Restart → Troubleshoot → Advanced → Startup Settings → 4.
  1. Remove Persistence
  • Remove scheduled task Time Trigger Task (random GUID name) in Task Scheduler Library.
  • Delete registry keys:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper
    HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\explorer.exe
  1. Scan with Companion Tools
  • Microsoft Defender Offline scan (System tray → Microsoft Defender → Virus & Threat → Scan Options).
  • Run Malwarebytes Anti-Malware to clean remaining adware droppers.
  1. Restore Deleted Shadow Copies (optional)
  • Use vssadmin list shadows and vssadmin delete shadows /all only AFTER recovery is complete.

3. File Decryption & Recovery

  • Current Situation: Files encrypted after August 2021 onward (cosd epoch) use an ONLINE key stored on the operator’s server. That means in most infections decrypter cannot retrieve the RSA-1024 key offline → ransom demanded (~US$980; discounted to $490 if within 72 h).
  • Exception – OFFLINE KEY infections
  • If the machine happened to be disconnected at the time of encryption and used the embedded offline key, Michael Gillespie’s STOPDecrypter (now hosted at https://decrypter.emsisoft.com/cosd) will produce a working “.decrypt” file.
  • Identify offline key: open C:\SystemID\PersonalID.txt; if all entries end in “t1” the key is offline.
  • Use Emsisoft decryptor with _readme.txt master key at stop.txt (instructions built into the tool).
  • No Offline Key? – Roll back to backups or use file-carving recovery: Recuva, Stellar, DiskDigger. Expect partial success (non-fragmented files only).

4. Other Critical Information

  • Secondary Malware Payload: cosd’s installer frequently drops RedLine Stealer, Amadey bot, or Vidar immediately after encryption – expect credentials leaked even if the ransom remains unpaid.
  • Unique Identifier: The ransom note is always named _readme.txt but contains a secondary file PersonalID.txt with both machine GUID and affiliate id (“id[custom string]”); that ID helps researchers map campaign clusters.
  • Wider Impact:
  • Predominantly strikes home users and micro-businesses (Windows 10/11 PCs where AV was disabled to run cracks).
  • About 4 % of incident tickets at Staples Tech Services store are STOP/Djvu derivatives, making cosd one of the most encountered strains in consumer support channels.

Cheat-Sheet: Quick Actions List

  1. Power off immediately if encryption still running ↔ check “system.exe –k” process hogging high CPU.
  2. Boot Safe Mode, snapshot or DD ISO forensic copy, then run Emsisoft Decryptor.
  3. If decryptor fails → restore from 3-2-1 backups, reset RedLine credentials (change every stored password), and deploy the ASR block lists above to prevent reinfection.

By systematically sealing the user-assisted infection vector and maintaining offline backups, cosd—and its future Djvu cousins—become almost entirely preventable.