copan

[Content by Gemini 2.5]

Ransomware Variant Focus: COPAN

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Encrypted files are immediately given the additional suffix “.copan”.
  • Renaming Convention:
    original.docx → original.docx.copan
    Report.xlsx → Report.xlsx.copan
    No prefix or email contact is added before the extension—this makes COPAN easier to spot via logs or scripts looking for “*.copan”.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First publicly documented in the wild July 2019. Distribution increased sharply through Q4-2019 – Q1-2020 after several spam-campaign pivots.

3. Primary Attack Vectors

| Vector | Details |
|—|—|
| Phishing e-mail (HF) | Weaponized ISO/IMG attachments (“invoice_[number].img”) containing .js dropper that executes COPAN. Campaigns target both English- and Spanish-speaking regions. |
| RDP brute-force & credential stuffing | Scans 3389, 135, 445 for weak or default credentials; laterally moves via WMI/PSExec to drop COPAN across the domain. |
| EternalBlue (MS17-010) | Integrates the DoublePulsar/EternalBlue mod if the host is reachable over SMBv1; highly effective on old Windows 7/2008R2 systems. |
| PSExec + Mimikatz toolchain | Once inside, uses Mimikatz to harvest credentials, then automates PSExec deployment to every reachable Windows host. |
| Living-off-the-land: wmic.exe, powershell.exe, and legitimate command-line archivers (7-zip, rar) are used to stage, compress, and exfiltrate data before encryption.

Remediation & Recovery Strategies:

1. Prevention

  1. Disable SMBv1 via GPO or by removing the feature (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).
  2. Restrict RDP exposure—block port 3389 at the firewall unless protected by a VPN and 2FA.
  3. Enforce least-privilege and patch-level baselines (WSUS/Intune) to prevent lateral PSExec moves.
  4. Block ISO/IMG at the mail gateway or at least require MIME downgrade inspection; train users on “invoice.img” lures.
  5. Application whitelist (AppLocker/WDAC) to bar unsigned .js/.exe loaders from %AppData% and %TEMP%.
  6. Network segmentation—IT/OT split plus deny-firewall rules between VLANs to hamper worm propagation.

2. Removal

  • Isolate: Disable NIC or power-off the host(s); segment the affected subnet at the switch to prevent SMB/RDP spills.
  • Collect Volatile Data: RAM dump (Rekall/FTK Imager) before shutdown if investigation is required.
  • Boot-clean: Boot from external Windows-PRE or Linux rescue OS (Kaspersky Rescue Disk 18, BitDefender).
  • Signature-based scan with updated AV engines (BitDefender, Trend, SentinelOne, and Sophos defs added 19-Sep-2019).
  • Schedule+FET scripts look for scheduled tasks/ps1/bat in %Windir%\System32\Tasks labeled “EDGE_update” or “SysBackup”, then delete.
  • Registry cleanup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run keys referencing random-named .exe in %APPDATA%\Microsoft\Help\*.exe.

3. File Decryption & Recovery

  • Recovery Feasibility: COPAN is an offline ransomware that encrypts using AES-256-CBC with a unique per-victim RSA-2048 key. No reliable public decryption exists.
  • Available Avenues:
  • Check if the AES key file (amd-<6-random-chars>.key) still sits in %TEMP%; the attacker does not always delete it. That key can be used with limited open-source Python scripts (Kape/COPAN-extractor).
  • Search all writable shares for “recover_copan.txt” ransom notes; they sometimes include a “Proof-of-concept + 1 free decrypt” URL pointing to a Tor-hidden service offering a discounted decryptor. Extortion amounts reported between 0.8 – 1.5 BTC in 2020.
  • If Volume Shadow Copy services weren’t purged (vssadmin delete shadows /all), use VSSAdmin list shadows + ShadowCopyView to roll back pre-encryption revisions.
  • If early-generation COPAN builds (sub-versions < 4.1.0) were encountered, security researchers have published weak-key remappings; apply Emsisoft COPAN-decryptor v2.1.2 first—keep backups; even partial decryption can break files.

4. Other Critical Information

  • Post-infection network markers:
    DNS queries to lusoregionaltem[.]top and queryweboptions[.]icu – sinkhole addresses now served by CERTs for telemetry.
    Outbound SMB scanning targeting 192.168.x.0/24, 10.x.x.0/8 stamps in firewall (e.g., pfSense / FortiProxy).
  • Unique Distinguishers:
  • Writes ransom note “FILES__.txt” in ANSI not Unicode (missing ñ characters when Spanish).
  • Deletes itself (self-environ-wipe) after 72 hours if no ransom is claimed—author’s proclaimed “good-guy guarantee,” likely to reduce forensic artifacts.
  • Broader Impact:
  • Targeted LATAM healthcare and hospitality verticals via Spanish-language phishing in Q1-2020.
  • Contributed to coordinated Joint Cybersecurity Advisory (JCAA-2020-0910) as a “regional flavor” under the GlobeImposter lineage.

Essential Tool/Update Checklist

| Category | Tool / Patch | Purpose |
|—|—|—|
| SMB | MS17-010 patch & SMB1 OFF | Blocks EternalBlue |
| RDP | KB5025221, Group Policy “Require NLA” | Mitigates RDP brute |
| AV | SentinelOne build ≥ 4.3.7 | Detects COPAN module IDs 0x607a, 0x975c |
| Validation | Nmap script smb-vuln-ms17-010.nse | Scan entire subnet |
| Decryptor | Emsisoft Decryptor COPAN 2.1.2 | Works on legacy builds |
| VSS Recovery | ShadowCopyView + robocopy /DCOPY:T | Restore entire shares |
| Monitoring | Sysmon config proc_creation + task_scheduled | Alert on .copan renaming activity |

Closure & Best-Practice Advice

  • Maintain offline, immutable backups (object-lock on S3 or LTO air-gapped).
  • Run proactive tabletop exercises with the above tool-chain; validate restoration time < 4 hours to avoid paying the ransom.
  • Report the incident to your national CERT and NoMoreRansom portal; intelligence feeds help sinkhole future C2 domains.

Stay resilient, stay patched, and, if hit, go for restore, not ransom.