coot

[Content by Gemini 2.5]

Technical Breakdown: COOT ransomware (STOP/Djvu family)

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: All encrypted files receive the single-byte extension .coot appended to the original filename.
  • Renaming Convention:
    OriginalName.ext.coot – nothing else is altered (no e-mail address, no random ID string between the filename and extension).

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: WildFire and other telemetry first recorded large-scale .coot campaigns in mid-January 2020. Activity peaked during February–April 2020 and continues in geographic waves.

3. Primary Attack Vectors

| Method | Freq. | How COOT uses it |
|——–|——-|——————|
| Malicious spam/phishing | Very common | ZIP or ISO attachments containing JavaScript droppers (e.g., invoice.js, order.js). |
| Software crack & key-gen sites | Hobbyist torrent/P2P | Fake Adobe, Office, or game activators wrapped in password-protected ZIP archives (setup.exe). |
| EternalBlue & BlueKeep (EternalRomance) | Minor | COOT rarely exploits these; the dropper installs when SMBv1 is left enabled. |
| Compromised RDP (mstsc.exe) | Medium | Brute-forced or stolen credentials; the dropper is dragged into the machine once initial foothold obtained. |
| Software-as-Service combos | Rare | Piggybacks on stolen Kaseya or ConnectWise agents to launch the payload. |

Remediation & Recovery Strategies:

1. Prevention

  • Key Updates & Patches
  • Apply Windows cumulative patches that fix SMBv1 ETERNALBLUE and RDP BlueKeep.
  • Disable SMBv1 (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).
  • Defensive Posture
  • Mandatory LSA Protection (RunAsPPL) to prevent COOT from injecting into svchost.
  • Enable Windows Defender ASR rules “Block executable files from running unless they meet…” and “Block JavaScript/VBScript from launching downloaded executable content.”
  • Enforce MFA on RDP gateways and remote management consoles.
  • User Hardening
  • Filter e-mail attachments (.js, .jse, .vbs, .iso) at the gateway.
  • Revoke users’ local Administrator privileges where possible.
  • Baseline PowerShell execution policy to AllSigned.

2. Removal (Survival Cosplay Checklist)

  1. Isolate the infected host from the network (pull LAN cable/disable Wi-Fi).
  2. Boot into Safe Mode with Networking (Windows 10/11).
  3. Download/Update Malwarebytes or ESET Online Scanner on a clean machine; copy via USB.
  4. Run a full scan and quarantine the following families:
    Trojan.Win32.STOP.D, MSIL:Agent-ZR, Trojan.Agent.Exp, Mal/EncPk-ALI.
  5. Check for persistence registers:
  • Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run → value SysHelper = %localappdata%\<random-4chars>\<random-name>.exe
  • Scheduled task: Microsoft\Windows\Windows Update\Orchestrator\UpdateModel again points to the binary above.
  1. Remove registry entries + scheduled task; reboot normally.
  2. Patch – install KB5027231 (latest cumulative patch) and reboot again.
  3. Validate that csrss.exe and powershell.exe are NOT hollow-processes with Process Explorer.

3. File Decryption & Recovery

  • Recovery Feasibility
  • Online keys: Early July 2019 and newer variants use uniquely generated RSA-2048 keys that are not currently crackable.
  • Offline keys: January–June 2019 families (rare in 2020 .coot waves). If infected host had no connectivity during encryption, the same offline key may have been reused; decryptable with Emsisoft STOP Decrypter v1.8.0.4.
  • How to check: Look inside C:\SystemID\PersonalID.txt or %localappdata%\random4chars\PersonalID.txt. If the ID is exactly 8 lower-case alphanumerics (e.g., 02ba13a2) it is decryptable offline.
  • Essential Tools
  • Emsisoft STOP Decrypter: https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
  • ShadowExplorer 0.9 (restore from Shadow Copies).
  • Windows Security Baseline GPO package for hardening.

4. Other Critical Information

  • Unique Characteristics
  • COOT deletes Volume Shadow Copies after encryption (vssadmin delete shadows /all /quiet), but sometimes keeps them if UAC is not bypassed—run Shadow Explorer anyway.
  • Uses MIME-type trickery: Windows Script File icons mimic PDF/Word icons to lure victims.
  • Bundles Azorult stealer—assume credentials are compromised; rotate every password that was stored in the affected user profile.
  • Broader Impact
  • Contributed to a 300 % spike in consumer-grade ransomware restores in early 2020; organizations with mapped shares often lost accounting, CAD, or CNC design files.
  • Attackers shifted payouts from <ransom-email>@protonmail.com to whitelisted Telegram IDs to reduce takedown risk.

Bottom line:
If the PersonalID is not an 8-letter pattern, decryption is impossible without paying. Focus on offline backups and adjust your 3-2-1 strategy going forward.