cov

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    The ransomware appends .cov (lower-case) to every encrypted file, producing names like Budget2025.xlsx.cov, README.txt.cov, or Employee_DB.mdf.cov.
  • Renaming Convention:
    Original filename + original extension + .cov.
    No random 6-character strings, email addresses, or hexadecimal IDs are added, making the blunt nature of the rename easy to spot.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    COVID-19-themed phishing waves began in mid-March 2020; the first confirmed .cov ransom notes were captured around 13 March 2020. Sharp peaks appeared again in January 2021 and April 2021, each time piggy-backing on new pandemic news cycles.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. COVID-19 phishing emails – malicious attachments disguised as WHO or CDC advisories (.docm + macros, .html with fake Office 365 QR code).
  2. RDP brute-force – attackers exploit weak passwords on TCP/3389, laterally move once a single host is compromised.
  3. Software vulnerabilities – a small subset of samples was seen weaponizing CVE-2019-19781 (Citrix ADC/Gateway path traversal) to obtain foothold before deploying the ransomware binary.
  4. Secondary payload via Cobalt-Strike – once inside, PowerShell is used to download the .cov dropper from attacker-controlled S3 buckets with randomized names to evade gateway filtering.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Patch early – push Windows cumulative and Citrix patches (especially the Jan-2020 RCE fixes and Citrix ADC hotfixes).
    • Disable Office macros for users who do not need them via Group Policy.
    • Enforce 14-16 char, unique passwords and lockout after 5 failed logins on RDP.
    • Whitelist inbound IP addresses on port 3389, or migrate to RD Gateway with MFA.
    • Enable multi-factor authentication for VPN and e-mail portals.
    • Use cloud-based mail gateways to strip .html with embedded JavaScript and macro-laden documents from “COVID” keyword e-mails.

2. Removal

  • Infection Cleanup (step-by-step):
  1. Isolate – disconnect the machine from the LAN (unplug, disable Wi-Fi/Bluetooth).
  2. Identify – locate the offending binary (mint.exe, wow.exe, or varied names like covid.exe) under %AppData%\Roaming\[random]\.
  3. Kill – boot into Safe Mode or bootable AV media; confirm that cov.exe, mssqlsrv.exe, and corresponding scheduled task are disabled.
  4. Delete – remove persistence in:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • Task Scheduler COVID19Update task
  5. Scan – launch a full scan with ESET Rescue Disk or Malwarebytes 4.x to quarantine remaining remnants.
  6. Verify – check for lateral movement artefacts under C:\Perflogs\ and remove any PowerShell persistence scripts.

3. File Decryption & Recovery

  • Recovery Feasibility:
    Decryption is NOT publicly possible for the .cov strain studied; it employs AES-256 with a per-file, randomly generated key encrypted by an RSA-2048 public key that never leaves the target machine.
  • Tools:
    • No Avast, Kaspersky, nor Bitdefender decryptors exist yet (checked Nov-2023).
    • Unsuccessful attempts to brute-force the RSA modulus indicate that Intel i9 would need ³¹⁰² years—making recovery only viable via offline backups or ransom negotiation.
  • Essential Tools/Patches:
    Windows Security Baseline Group Policy – apply “LCURDP” templates.
    Patch for CVE-2019-19781 (CTX267679 + hotfixes).
    Sophos Intercept X Advanced – effective at stopping both macro lobs and behavioral AES memory encryption seen in .cov.
    Veeam or Commvault immutable backups with air-gap 7-day retention – satisfies 3-2-1 rule.

4. Other Critical Information

  • Additional Precautions:
    • Escape character leakage – the ransomware drops a second-stage PowerShell script that writes C:\Users\Public\covid19.ps1; check for MD5 08fa2e...aabb4.
    Double Extortion: operators threaten publication of stolen .xlsx.cov, .pst.cov, and .sql.cov on leak site “covbazaar[.]top”. Victims exhibit 24-hour countdown timer message in ransom note Restore_My_Files.txt.
    Notable Samples: The Win32/Win64 binaries are signed with invalid Microsoft certificates; Windows Defender SmartScreen detects the fake signature as “publisher unknown”.

  • Broader Impact:
    • Attacks disproportionately hit health-care networks in the U.S. and EMEA, capitalizing on pandemic staffing shortages and VPN saturation.
    • ICS-CERT issued an alert (AA20-103A) citing .cov as initial distro mechanism preceding REvil or Conti post-exploitation in at least three documented cases.
    • FDA received multiple 510(k) medical-device malfunction reports traceable to .cov file corruption on shared imaging workstations.

Community Reminders
Share IoCs (mint.exe SHA256, covbazaar domain list) with CISA and ISAC mailing lists. Encourage every org, even those not yet hit, to dump password databases against HaveIBeenPwned—80 % of .cov intrusions began with reused RDP credentials.