calvo

[Content by Gemini 2.5]

Technical Breakdown for “Calvo” Ransomware (.calvo)

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .calvo — victims will find their files renamed from example.docx to example.docx.calvo.
  • Renaming Convention: It preserves the original filename and extension in full, appending the new suffix so that a full file path would read
    C:\Users\<User>\Documents\report_2024.xlsx.calvo. This helps defenders quickly identify the scope of damage via simple directory searches for “.calvo”.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Extant telemetry and public submissions date the first wide-scale sightings to mid-February 2024. A noticeable spike of .calvo-labeled submissions to VirusTotal occurred between 12-16 February 2024, coining its place in contemporary threat intel feeds.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Malicious email campaigns (“shipping update”, “voice message”, or “invoice remittance” themes): ZIP/ISO or HTML attachment with downloader script launching PowerShell or BatLoader.
  2. Exchange server exploitation (a.k.a. ProxyNotShell-chain): HTA/DLL payload dropped via /autodiscover/autodiscover.json endpoint to stage Calvo executables.
  3. “Living-off-the-land” SMB abuse: After initial foothold, it leverages PSExec/WMI to move laterally and push Calvo binaries to shares lacking proper SMB signing.
  4. Cracked software installers (photoshop, autocad, kms-auto, etc.): Bundled NSIS stub contains obfuscated Calvo payload written to %AppData%\Local\TimeSync\SyncHost.exe.

Remediation & Recovery Strategies

1. Prevention

  • Patch Outlook/Exchange to at least March 2024 CU that neutralizes ProxyNotShell.
  • Disable macro execution from Internet-sourced Office files via Group Policy.
  • Enforce SMART AppLocker policies to block unsigned binaries in %AppData%\* and %TEMP%\*.
  • Implement network segmentation and restrict SMBv1/SMBv2 unsigned sessions (disable via GPO or PS: Disable-WindowsOptionalFeature ‑Online -FeatureName SMB1Protocol).
  • Back up critical data to a cloud account NOT mapped as a drive letter (immutable object lock, S3 with MFA-delete, or WORM tape).
  • Reset any default/weak RDP credentials; deploy MFA for all remote access entry points.
  • Maintain DNS sinkholing against known BatLoader/Cobalt-Strike C2 domains (public lists maintained by abuse.ch and EmergingThreats).

2. Removal

  1. Isolate: Disconnect infected machines (both network and Wi-Fi); remove mapped network drives to prevent further encryption.
  2. Triangulate:
  • Identify parent process of the encryptor: look for SyncHost.exe, WinDefender32.exe, or random five-letter executables under C:\ProgramData.
  • Filter in Sysmon for EventID 1 with command line *-m local -net.
  1. Kill Processes & Services:
  • Open Task Manager or Remediation ISO → terminate encryptor and any BatLoader components.
  • From Safe Mode with Networking, run: wmic process where "name like '%calvo%'" delete.
  1. Delete Artifacts:
  • %AppData%\Local\TimeSync\, %ProgramData\\[random]\ (contains “calvo.read_it.txt”).
  • Registry persistence keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TimeSync.
  1. Scan & Clean:
  • Boot from Bitdefender Rescue Environment or Microsoft Defender Offline; let engine remove left-over infostealer modules (TrickBot remnants observed in many campaigns).

3. File Decryption & Recovery

  • Recovery Feasibility (as of May 2024): NO working decryptor exists for .calvo—files are encrypted with a per-victim X25519 + AES-256-GCM scheme; private keys remain offline.
    (Monitor reputable sites: NoMoreRansom.org, Emsisoft Decryptor archives – if a free decryptor becomes available, the decryptor banner will explicitly list “.calvo”.)
  • Restoration Paths:
  1. Restore from immutable backups or volume shadow copies (vssadmin list shadows).
  2. Leverage EDR capabilities (e.g., CrowdStrike or SentinelOne rollback) for systems protected with journaling features within 24–72 h pre-attack.
  3. If no backups, accept the unavailability of .calvo decryption and engage DFIR teams to collect evidence, but do not pay (historical affiliates often abandon after payment).

4. Other Critical Information

  • Ransom Note(s): Dropped as calvo.read_it.txt in every encrypted folder; contents include a TOX ID and expiration timer (T+72 h).
  • Double-Extortion: Affiliates exfiltrate ~1 GB of data via MEGASync API before encryption; breached FTP credentials published on darknet leak site “CrushLabs.”
  • Unique Characteristics: Uses Russian-ransom note hard-coded with matching Cyrillic strings for non-English victims, but decodes to Spanish for Western Europe (“Su equipo ha sido encriptado—calvo no peligroso, pero archivos si”); apparently strange bilingual messaging to frustrate Google-translate copyright triggers.

By combining these technical details with layered defenses and rapid response procedures, organizations can significantly reduce the risk posed by the Calvo ransomware family.