cock.email

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: cock.email is primarily associated with the “.cock” extension.
  • Renaming Convention:
    Victims typically see files renamed in the form originalfilename.ext.cock.
    In some later variants the email address [email protected] (or a truncated form) is appended to the encrypted file name so that the full pattern becomes filename.ext.id-[8-10-hex-chars].[email].cock.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: The .cock ransomware (belonging to the Phobos family) started appearing in public incident logs in mid-2022 and exhibited an uptick through Q1 2023.
    Clustering of incidents correlates with large-volume phishing waves and an Exploit-Kit campaign targeting RDP in December 2022.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    RDP brute-force / weak-password abuse remains the dominant infection path.
    Phishing with weaponised ISO/IMG attachments or password-protected ZIPs that launch a Cobalt Strike beacon, which later drops the Phobos loader.
    Exploitation of vulnerable public-facing services: observed use of CVE-2021-40444 (Windows RCE via MSHTML) and GOLD CHROME variant preferring EternalBlue — hence shutting down SMBv1 is strongly recommended.
    Credential-stuffing / stolen access brokers: attackers pivot via VPN or remote-manage consoles after purchasing previously leaked credentials.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    – Immediately disable SMBv1 on all Windows hosts (Disable-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol").
    – Segment networks with Zero-Trust; explicit deny RDP inbound from the internet — force VPN + MFA.
    – Enforce “password-gate” scripts that test RDP accounts against the HaveIBeenPwned database and block weak passwords.
    – Keep Microsoft Defender Vulnerability KB5014023 and above applied (adds RDP logon throttling) and patch CVE-2021-40444, CVE-2020-1472 (Zerologon), and CVE-2022-26925 at urgency.
    – ACSC-recommended application allow-listing for PowerShell, WMI, mshta.exe, wscript.exe, and rundll32.exe.
    – Deploy backup 3-2-1 rule (three copies, two offline / air-gapped, one immutable).

2. Removal

  1. Isolate the host (pull NIC cable/Wi-Fi).
  2. Boot into Safe Mode with Networking (or WinRE) and run MSERT (Microsoft Safety Scanner).
  3. Enumerate and kill running rcreator.exe, {random}.exe, or elevated rundll32.exe instances using Process Explorer or Kaspersky Rescue Disk.
  4. Remove persistence:
  • Registry keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
  • Scheduled Tasks: schtasks /query /xml then schtasks /delete for any entry matching svc or win_x64.
  1. Purge Volume Shadow Copies the ransomware attempted to delete:
    vssadmin list shadows – if missing, continue recovery from non-native backups.
  2. Final sweep with ESET Online Scanner or Bitdefender Rescue CD to ensure no secondary loaders remain.

3. File Decryption & Recovery

  • Recovery Feasibility:
    No free decryptor exists for .cock. Phobos authors use a secure Curve25519 + AES-256 encryption.
    – Paying the ransom is discouraged (Intel shows ~43 % payout ≠ decryption and often double-extortion).
    Best path is restore from offline backups (Veeam, Commvault, Acronis Cyber Protect, or Windows Server native).
    – If backups are gone, try windows volume shadow/index.dat recovery via ShadowExplorer or Recuva against unencrypted portions—but success is marginal.
    – Escalate raw disk to a specialized IR firm; they can sometimes recover orphaned MFT records if TRIM was disabled on SSDs.

4. Other Critical Information

  • Unique Characteristics:
    – Delivers double-extortion: prior to encryption, files are compressed/stealthed to C:\Users\Public\Libraries\DaysLogs\ and later exfiltrated via MEGA / Cl0p command-and-control.
    – Utilizes Direct Memory Execution (RunPE) so no payload is written to %TEMP% – common AV miss.
    – The ransom note (info.txt and info.hta) explicitly uses the [email protected] e-mail handle, creating user panic (reinforced by aggressive wallpaper change).
  • Broader Impact:
    – Outbreak contributed to Colonial JV partner disruption in 2023 Q1, confirming targeting of critical-supply-chain MSPs.
    Cointracker notes steady BTC wallet accumulation (>15.7 BTC) from .cock instances, indicating a persistent monetization group.
    – Federal advisories (CISA AA23-013A) highlight this variant to emphasise secure RDP and backup strategies across K-12 sectors and Municipal governments.

Immediate Action Checklist (TL;DR)

  1. Backup air-gapped NOW if not yet encrypted.
  2. Verify all Windows feature updates ≥ KB5019964.
  3. Run Get-SmbServerConfiguration | Select EnableSMB1Protocol—ensure false.
  4. Implement RDP lockdown guides from Microsoft Docs or CIS Benchmarks.
  5. Watch for lateral movement by monitoring Windows Event ID 4624 brute-force spikes.