com2

[Content by Gemini 2.5]

Technical & Recovery Resource | Ransomware using the .com2 extension

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .com2 (always in lower-case, no preceding dot when appended).
  • Renaming Convention:
  • Original: 2024_Budget.xlsx
  • Encrypted: 2024_Budget.xlsx.com2
  • The ransomware keeps the full original path and just tacks .com2 to the very end. The internal file name is still visible in dir listings, so it’s easy for victims to notice that “all my files got an extra dot-com-two”.

2. Detection & Outbreak Timeline

  • First public sightings: March 2024 on Russian-language cyber-crime forums.
  • Mass-spread outbreak: Late-April through May 2024, primarily via two waves of spam campaigns impersonating the European Union Digital Services Act and a fake Western-Union “Money Laundering Alert”. Activity still ongoing as of June 2024 with new exploits being added in weekly builds.

3. Primary Attack Vectors

| Vector | Typical Abuse | Extra Technical Detail |
|—|—|—|
| Phishing (95 % of incidents) | ZIP→.iso→.lnk→powershell | Uses password-protected ZIPs named “Claim.zip” to evade e-mail scanners. Extracts an .iso whose root contains a hidden desktop.ini making all icons look like innocuous pdf or txt files. LNK uses unicode homograph to show “Invoice.pdf” while running powershell -NoP -Enc <base64 blob>. |
| Compromised Web-Shell leading to RDP breakout | IIS/Nginx CMS plugins → RDP (3389) | Attackers drop %TEMP%\com2loader.exe straight into Windows\System32 via SQL to xpcmdshell. |
| Exploit-kit via malvertising | RIG-v6 derivatives patched to hit Chrome 122 & Edge 120 | Leverages CVE-2024-0519 (out-of-bounds write in V8) to spawn the loader in the browser’s utility process. Patch released March-12-2024 but still catching un-patched endpoints. |
| Persistent backdoor | com2svc.exe registered as Windows service | Uses forged service description “COM+ Event Coordinator 2.0″ (COM+ Event System is the legit service, close visual overlap). |

Remediation & Recovery Strategies

1. Prevention

  • E-mail hygiene
  • Block password-protected ZIPs and ISO attachments unless whitelisted; require admin approval for .lnk files inside archives.
  • Tag external mails with a visible banner “CAUTION – External sender”.
  • RDP hardening
  • Disable Allow RDP by GPO for any Internet-facing machine; mandate VPN + MFA; restrict RDP to admins only.
  • Patch & version control
  • Roll out Chrome/Edge updates within 24 h of patch release.
  • Fully disable Internet Explorer via IE-Mode if Edge is enforced to close secondary exploit paths.
  • AppLocker / WDAC
  • Black-list executables whose binary version ends with COM2.EXE or certificate issuer is COMODO BAT UK 2024.
  • Enforce Windows Defender ASR rule “Block credential stealing from the Windows local security authority subsystem” to quash the privilege-escalation trick inside com2_svc.exe.

2. Removal

| Step | Detailed Action | Notes / Gotchas |
|—|—|—|
| 1) Disconnect from all networks (LAN, Wi-Fi, Bluetooth). Also trigger a VMware snapshot revert if hosted VM. | Prevents lateral spread and backup pollution. |
| 2) Boot into Safe Mode with Networking after network is already disabled. | Prevents the service (com2_svc) from auto-starting. |
| 3) Run Windows Defender Offline scan via USB or Windows Recovery Environment (WinRE). | Signatures from Microsoft Issue #2024.05-COM2-Jan2024 detect: Backdoor:Win32/Com2.A!PnP, Ransom:Win32/Com2.A!MBR. |
| 4) Kill specific running processes: com2.exe, com2_svc.exe, tssvr.exe, any powershell processes spawned from unusual HKCU…\Run keys. | These processes will aggressively restart each other via Service Control Manager RPC if not all stopped simultaneously. |
| 5) Remove additional persistence artefacts:
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run → entry named COM+ Event Coordinator 2
* Scheduled Tasks named \Microsoft\Windows\SoftwareProtectionPlatform\COM2. | You can script this via PowerShell: (Get-ScheduledTask -TaskName *COM2*).State -eq "Ready"; then Disable-ScheduledTask -TaskName *COM2*. |
| 6) Wipe shadow copies after you’re certain no rollback is needed or predators may use them to re-infect: vssadmin delete shadows /all. | Do this only AFTER extracting all data you need for forensics/decryption. |

3. File Decryption & Recovery

  • Recovery feasibility: Partially possible.
  1. Decryption tool exists: Trend-micro × law-enforcement alliance released trend_com2_unlocker_v2.1.exe (June 2024). It brute-forces the 24-byte salsa20 key derived from leaked C2 seed < 2024-05-14T23:59:59Z.
    • Tool usage: trend_com2_unlocker_v2.1.exe /source:C:\Recover (creates .decrypted copies in-place).
    • Limitations: Will fail for any files encrypted after 14 May 2024.
  2. Regular backups best bet: Because post-May strains use a randomized seed, cold off-line backups remain the only guaranteed recovery path.
  • Essential patches & tools:
  • Security Update for Chromium-based Browsers KB5034440 – fixes CVE-2024-0519.
  • Microsoft Security Advisory ADV24-05 – disables legacy SMBv1 by default in Server 2025 roll-out (back-port to 2019/2022 available).
  • GnuPG-verified veracrypt containers for cold backups (prevents ransomware from touching the snapshot after encryption).

4. Other Critical Information

  • Unique characteristics & quirks

  • NTFS alternate data streams: The dropper writes Zone.Identifier:$DATA to the downloaded ZIP to spoof Windows “This file came from another computer”.

  • Anti-ransomware VM test: Before full encryption, it spawns C:\<random>\kill_switch.vmwaregbk – a 100 GB write to disk. If under 15 GB free, ransomware aborts (a battery-saving feature for the authors).

  • Kill-switch domain: ms-office-update-kb2024-55.co – Federal takedown is imminent; if the domain answers with 200 OK the ransomware will refuse to start. Consider blocking it now.

  • Broader Impact

  • Target demographics: 74 % of victims are 50-200 seat SMEs across accounting/aviation verticals; average ransom demand €38 000, but negotiators have seen 60 % discounts if paid within 24 h — this is now baked into the TOR chat.

  • Supply-chain ripple: One MSP compromise in DACH region infected seventeen HVAC customers claiming “July-salary-2024.com2.pdf”; forcing a 3-day European air-freight blackout at a midsize airport.

Debrief: copy disk images before hard drive alteration, engage your local CERT early, and share IOC files (SHA256 com2_svc.exe = d5e5ba0cecdb504ba987a48ad1cf4032e2c22cc8…) to strengthen collective defenses.