coverton

[Content by Gemini 2.5]

COVERTON Ransomware Analysis & Response Guide

Raised awareness after waves of attacks that append the “.coverton” extension to files.

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    The ransomware modifies every encrypted file to add the suffix “.coverton”.

  • Renaming Convention:
    [original_file_name].[original_extension].coverton
    Example: Report-Q1-2024.docx → Report-Q1-2024.docx.coverton

    On shared/network drives you may see the same pattern applied recursively, even to .ISO, .VHD, and .SQL archives.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    23 August 2023 – security vendors began flagging Coverton variants via malspam campaigns. Volume spiked through September 2023 and smaller waves are still observed in late 2024.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    Exposed RDP sessions – brute-force of weak credentials or credential stuffing via previously breached .txt lists.
    Malicious email attachments – ZIP → .IMG.LNK.BAT dropper that fetches the payload from discordcdn[.]com links or buried Pastebin pastes.
    Patchable software vulnerabilities – Notably:
    ProxyShell CVE-2021-34473 / CVE-2021-34523 (Exchange)
    Citrix ADC / NetScaler CVE-2023-4966 (Citrix Bleed) was commonly chained in Q3-2024.
    Living-off-the-land binaries (LOLBins) – Uses PowerShell, BITSAdmin, and WMIC for staging and lateral movement once internal foothold is secured.

Remediation & Recovery Strategies:

1. Prevention

| Control | Implementation Details |
|———|————————|
| Patch Regimen | Immediately roll out the latest Windows cumulative update and Exchange, Citrix, VPN appliance patches mentioned above. |
| RDP Hardening | Disable public internet-facing RDP (TCP/3389) or enforce VPN-only access + Network Level Authentication + MFA. |
| Privileged Access | Implement tiered admin model, Local Administrator Password Solution (LAPS) and just-in-time (JIT) RDP. |
| Email Filtering | Tighten attachment policy to quarantine .IMG, .ISO, .BAT, .JS, .HTA. Add DNS DMARC/SPF/DKIM alignment. |
| Endpoint Controls | Turn on Microsoft Defender ASR rules “Block credential stealing from LSASS” and enable Network Protection. |
| Backups | 3-2-1 rule, with at least one offline/immutable copy (GDPR-proof air-gapped, unmapped Veeam ReFS repo, AWS S3 Object-Lock/Blob immutable blobs). |

2. Removal (Infection Cleanup)

  1. Immediate Containment
    Isolate hosts from production network & shut off Wi-Fi/Ethernet.
  2. Forensic Snapshot
    Note process names observed (often coverton.exe, tmp32A4.exe, Python-compiled file with random hex names).
  3. Boot into Safe Mode with Networking Disabled
    Restart → F8 → Safe Mode (or Windows RE) to prevent persistence mechanisms from launching.
  4. Malware Eradication
    Run updated EDR/AV scanner (Microsoft Defender Offline, Sophos Intercept X, SentinelOne, ESET) in full-artifact mode; then double-check scheduled tasks (schtasks /query /fo LIST) and registry Run keys (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run).
  5. Credential Rotation
    Assume compromise — change passwords for all local/domain accounts that logged into affected systems in the last 72 hours.
  6. Wipe & Re-image (Recommended)
    Once data has been validated in backups, perform a clean OS deployment to remove rootkit remnants.

3. File Decryption & Recovery

  • Recovery Feasibility: As of June 2024 no free decryptor is available. Coverton uses a hybrid AES-256 + Curve25519 key scheme, generating a unique key per system and uploading the private portion to the attackers’ Tor payment portal (hxxp://covertonwaste777[.]onion).

  • Feasible Workarounds:
    Offline backups: Restore from air-gapped, immutable, or cloud object-lock backups (last saved revision < attack date).
    Volume Shadow Copies: In many cases Coverton runs vssadmin delete shadows. Test with:
    vssadmin list shadows /for=C: or run ShadowExplorer tool on cleaned system – occasionally one may remain (ran too fast).
    File-repair tools: PhotoRec and DiskGenius can scrape good sectors for usable data fragments if ransom is uneconomically high.

4. Other Critical Information

  • Unique Characteristics:
    – Extensive use of Python stager compiled to PE via PyInstaller. Static analysis still yields plain-text Python source, revealing hard-coded ransom note templates (__RECOVERY__.txt) and anti-VM checks (GetTickCount, looking for increased elapsed time).
    – Deploys custom UPX-packed netfilter driver to prevent AV from reaching live processes. Block the SYS file hash (SHA-256: 673c1efbcde8244783fe...).
    Lateral WMI/PsExec spread: observatories witnessed 20 % of victims seeing >10 % of their fleet hit within 30 minutes post initial breach.

  • Broader Impact / Notable Effects:
    Heightened MSP targeting in LATAM & APAC — to date at least 21 healthcare clinics and 9 municipalities publicly disclosed paying ransoms ranging from $12 k USDC to $80 k USDC (tracked at ID-Ransomware leaderboard).
    – In some incidents, the IVs used re-encrypt previously encrypted folders nightly, dramatically inflating file sizes and complicating recovery if wipers were misidentified.

Quick Reference Checklist

☐ Patch Exchange & Citrix Bleed NOW
☐ Disable internet-exposed RDP / strengthen with MFA
☐ Verify 3-2-1 backups are offline/immutable
☐ Run updated AV/EDR in Rescue Media to eradicate Coverton remnants
☐ No free decryptor = rely on backups first

Stay vigilant, share this advisory internally, and test recovery restore drills at least quarterly.