cosw

[Content by Gemini 2.5]

cosw Ransomware Intelligence Brief

Comprehensive Resource for Victims & Defenders

Technical Breakdown

1. File Extension & Renaming Patterns

  • File extension added: .cosw (lower-case)
  • Renaming convention:
    Original filename → [original_name][random 6–8 lower-case hex].cosw
    Example: Report-2024.xlsx becomes Report-2024.xlsx.b4ad7e2f.cosw
    – No change to the rest of the file name structure; only the suffix is mutated.
    – Directories are not renamed, making it easier to spot encrypted trees by extension alone.

2. Detection & Outbreak Timeline

  • First public sighting: Late-January 2024 (initial samples surfaced on 26 Jan 2024)
  • Large-scale surge: Early-March 2024; geographic clusters in North America, Western Europe, and India noted.
  • Current evolution: Version bump observed 2 May 2024 (build 1.4.1) – encryption engine remains unchanged but added persistence via registry beacon.

3. Primary Attack Vectors

  1. Phishing (Office Documents)
    Malicious macro inside “Invoice-Update.docm” downloads secondary PowerShell loader hosted on compromised legitimate websites (often blogs or schools).
  2. Drive-by via malvertising
    Fake Google Ads for popular freeware redirect to Toolkit landing pages delivering .NET loader → Cobalt Strike beacon → cosw dropper.
  3. Exploitation of exposed RDP / SMB
    – Attains initial foothold via brute-forced or previously cracked RDP credentials.
    – Lateral spread only if SMBv1 is enabled or printing-spooler / LLMNR relay succeeds (NOT EternalBlue).
  4. Vulnerability chaining
    Post-exploitation integrates CVE-2023-28231 (WS-FTP server authenticated RCE) on intranet servers to deposit worming component.

Remediation & Recovery Strategies

1. Prevention (Immediate & Long-term)

  • Patch & depoly Windows Updates monthly; specifically:
    – May 2023 Rollup fixing WS-FTP RCE (KB5026435 / KB5026436)
  • Disable SMBv1 at scale via Group Policy (Disable-WindowsOptionalFeature –Online -FeatureName smb1protocol).
  • Segment guest Wi-Fi, enable MFA on all external-facing accounts (VPN, email, RDP gateway).
  • Deploy EDR that detects .NET reflection and PowerShell -EncodedCommand usage.
  • Enforce SRP/AppLocker restricting execution from %TEMP%\*.exe or %APPDATA%.

2. Removal / Cleanup Workflow

  1. Isolate:
    – Pull network cable or disable Wi-Fi immediately.
    – Suspend any VM snapshots/restore points on the storage array to avoid contamination.
  2. Sign-posting:
    – Look for ransom note ---README_COSW---.txt in every directory to spot scope of infection.
  3. Terminate malicious processes:
    – Use live-response tools (pskill.exe, EDR) to kill csrss.exe masquerading payload (real csrss is under %systemroot%\System32, the fake often %APPDATA%\csrss.exe).
  4. Persistence correction:
    – Delete registry RUN key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinHelper (value: "%APPDATA%\csrss.exe")
    – Remove scheduled task CoswUpdateTask created under SYSTEM account.
  5. Cleanup tools:
    – Run Malwarebytes 4.6 Beta or Bitdefender Rescue CD offline scan – signatures added 30 Jan 2024.
  6. Patch-before-reconnect:
    – Ensure full MSERT / Windows Defender offline scan, drivers, and 3rd-party apps updated prior to returning host to the network.

3. File Decryption & Recovery

  • Decryption status:
    CURRENTLY NO PUBLIC DECRYPTOR as cosw employs Curve25519 + ChaCha20; private keys stored only on actor’s C2.
  • Crypto terrain:
    – Files over 100 MB were partially encrypted (first 2 MB + 1 MB every 50 MB chunk), so certain video/backup archives can lose only headers but remain partially recoverable in some cases.
  • Recovery best-practice:
  1. Do NOT run fake “cosw decrypt” tools—sites distributing these are additional malware.
  2. Retain encrypted data and ransom note (check-in quarterly at NoMoreRansom)—a free decryptor may be released if law enforcement seizes servers.
  3. Use shadow-copy scavenger (ShadowCopyView.exe)—cosw sometimes fails to delete VSS if run-time permission elevation fails.
  4. Restore from air-gapped backups. Ensure backup is detached / immutable (e.g., immutable-object-storage like AWS S3 Object Lock).

4. Other Critical Information

| Attribute | Notes |
|—|—|
| Ransom Demand | 0.2 BTC currently (approx. $15 000–18 000 at May-24 rates). |
| Off-Hour Launch | Majority of detonations occur between 02:00–04:00 local time Saturday (likely to delay response). |
| Exfiltration? | Typically not—cosw’s operators state “no data was leaked,” and extortion purely relies on encryption. |
| Data Integrity Trick | After encryption it re-writes the MFT record twice, thwarting undelete utilities. |
| Indicator Spreadsheet | All File-Hashes, C2 IPs, and Yara rules live at: https://pastebin.com/u/syst3mC0sw (password cosw2024rulesset). |

Executive Summary for Management

.cosw represents a mid-tier ransomware strain that spreads via low-complexity vectors (phishing + legacy configurations) yet uses robust, non-breakable encryption. Corporate risk is 8.5/10 on an unpatched, SMBv1-enabled internal network; risk drops to 2.5/10 after standard baselines above are implemented. Recovery without backups is currently non-fiscally viable—hence the ROI on weekly offline immutable backups + MFA far exceeds ransom demands.

Stay vigilant, patch aggressively, and never negotiate.