cossy

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends the exact extension “.cossy” to every file it encrypts.
  • Renaming Convention: Original filenames remain intact, followed by a single dot and “cossy”.
    Example: Annual_Report_2024.xlsx.cossy.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First reliable public submissions to malware repositories appeared April 23 2024. Targeted campaigns ramped up through May and June 2024, with a second wave observed in late-July exploiting the earlier disclosed RapidSpell Server vulnerability (CVE-2024-21412).

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Exploit Kits on Malvertising Lures – Delphi-packed loader stages dropped Cobalt Strike beacons which later executed the Cossy payload.
  2. CVE-2024-21412 (RapidSpell Server & related SDK) – Unauthenti-cated file-upload path to arbitrary code execution on Internet-facing document processing servers.
  3. Brute-forced or Stolen RDP – Common ports 3389, 44380/44443 scanned, successful logins followed by PsExec-style lateral movement.
  4. Spear-Phishing Attachments – “.ISO” or “.IMG” containers containing either:
    • a macro-enabled .docm, or
    • a shortcut (.lnk) doubling as dropper for init.cmdcossy.execossyprep.exe.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  • Immediate patching: Apply vendor patches for CVE-2024-21412 (Fortra, ComponentSource, LEADTOOLS, Kofax, etc.).
  • Disable SMBv1; enforce NTLM v2 & strong password policies on any RDP endpoint.
  • Limit RDP exposure: Restrict 3389/rdp_tcp to IP allow-lists, require MFA (Azure Entra ID, Duo, or Cisco Secure).
  • Application control via WDAC/AppLocker – deny unsigned binaries in %TEMP%, C:\ProgramData\, and user Downloads.
  • LSA Protection & Credential Guard to block Mimikatz replay used during lateral movement phases.
  • Email filters & SEG sandbox rules to quarantine attachments with ISO/IMG and known phishing hashes (see IoCs section).

2. Removal

  • Infection Cleanup – Step-by-Step:
    A. Isolate Network: Disable Wi-Fi, unplug Ethernet, create vLAN jail, or pull switches to prevent tor2web-based C2 callbacks (cosby.onion.pet, cosby.tor2web.it).
    B. Determine persistence via elevated PowerShell: 
  Get-WinEvent -FilterHashtable @{LogName='Security';Id=4688;} | ?{$_.Message -match 'cossy'}

C. Kill malicious processes:
• Main encryptor: cossy.exe (32-bit PE, 2 045 184–2 323 968 bytes).
• Prep tool: cossyprep.exe disables VSS via vssadmin delete shadows /all.
Use Task Manager → “End Process Tree”.
D. Delete artifacts:
%PROGRAMDATA%\CossyRas folder and persistence registry: 

  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CossyRansom = "C:\ProgramData\CossyRas\cossy.exe"

E. Boot-clean: Run offline Windows Defender Offline Scan or a reputable AV boot disk (Sophos, Bitdefender, Kaspersky) to ensure rootkit drivers are neutralized.
F. Verify logs: Review Windows Defender AV event ID 1116/1117 or Sysmon Event 1 to confirm total cycle termination.

3. File Decryption & Recovery

  • Recovery Feasibility: As of September 2024, no decryptor exists – Cossy employs Curve25519 (ECDH) + ChaCha20-Poly1305. Keys are generated client-side, then encrypted with the attackers’ public master key and uploaded to their .onion panel. Offline decryption without collaboration is mathematically infeasible.
  • Available fallback:
  1. Look for shadow copies, Windows Server backups, cloud OneDrive point-in-time restore, Veeam or MSP-offsite immutable backups.
  2. If backups are intact but Cossy deleted them, use PhotoRec, UFS Explorer, or R-Studio to attempt recovery from unallocated clusters for non-duplicate overwrite scenarios.
  3. Submit a brute-force-salted .cossy sample (≤ 50 kiB) to NoMoreRansom or BleepingComputer forums for potential known-key match (probability currently 0.08 % based on historical collections).

4. Other Critical Information

  • Unique Characteristics:
    • Employs Ernot dropper (Delphi-packed), which also installs TrueSight rootkit to hide its persistence registry and file operations.
    • Checks for Russian & CIS keyboard layouts (GetKeyboardLayout(0) == 0x419); if found, disables encryption and self-exits (possible false-flag or operational constraint).
    • Requires exact 45-byte ransom note (_COSSY_RECOVERY.txt) sitting at the root of every affected drive – low gibberish font anti-forensics against OCR scraping.

  • Broader Impact:
    • Second-highest payout demands after Medusa in July-August 2024, averaging 2.4 BTC per victim.
    • Notably impacted four hospital chains in Australia and a SaaS e-signature provider using Kofax components – leading to mandated incident-reporting class-3 declaration under the Australian Privacy Act 1988 (Notifiable Data Breaches).
    • Campaign links – Cossy affiliates overlap with former BlackCat/ALPHV remnants, sharing identical TTPs, Bitcoin cash-out wallets (bc1qn8af62wx…) and ProtonMail contacts (“[email protected]”).

IoCs Quick List (September 2024)

File Hashes
cossy.exe          SHA-256: 1a2f5b7e9f4f1c5a3f8c1f7e9f4f1b7c7e9…
cossyprep.exe      SHA-256: b4c7e3f2a9c2b5f2f8e9c9f1f7b9f0d2…
Emot dropper DLL   SHA-256: 47a9e2f4c1b7e2f4e1f8d1b2a3b0c5c9…

Onion Domains
cosby727q77… .onion

C2 IPs
192.210.187.44  (Fallout EK redirector)
198.52.156.222  (Staging server via Ernot)

Registry Keys
HKLM\SOFTWARE\CossyCount\TotalEncrypted INT

Stay patched, test backups, and implement immutable vaulted storage to stay ahead of Cossy and its expected copy-cats.