covid

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Extension: .covid (henceforth referred to as Covid ransomware)

  • Renaming Convention:
    Each encrypted file is given a rename in the form:
    original_filename.ext.{unique_ID}.covid
    – Example: Invoice_2024.xls.f2a7c89b-3411-4f56-9c61-9b9b3f39aa90.covid

    The long UUID between the last dot and the .covid suffix appears to be a 128-bit hexadecimal client ID, different on every infection but consistent across an entire victim’s machine.

2. Detection & Outbreak Timeline

  • Discovery Date: March 2020 (surged during the global COVID-19 pandemic news cycle)
  • Peak Activity: April–June 2020, though sporadic new samples continue to surface in 2024 via crypter-protected droppers.

3. Primary Attack Vectors

  1. Spear-phishing e-mails masquerading as updated workplace COVID-19 policy PDF attachments (POLICY_COVID19_Update.pdf.exe).
  2. Weak or exposed RDP/password-spray attacks—port 3389 brute-forced using lists of common pandemic-related terms (corona2020, covidsafe!, nCOV@123).
  3. Drive-by compromise through malicious ads (malvertising) redirecting victims to rigged exploits kits (Fallout EK) subsequently chaining CVE-2020-1048 (Windows Print Spooler) to elevate privileges.
  4. Software supply-chain abuse: A trojanized version of a widely used remote-learning utility in the early 2020 lockdown period pulled additional payloads including Covid ransomware.

Remediation & Recovery Strategies:

1. Prevention

| Control | How to Deploy |
|———|—————|
| Patch promptly | Apply latest Windows cumulative patches (especially for Print Spooler, SMBv3 vulnerabilities). |
| Disable SMBv1 | GPO: “Turn Off SMB 1.0” + ensure SMB signing enabled for SMBv2/3. |
| Harden RDP | Restrict port 3389 via IP allow-lists, high-complexity passwords and mandatory Windows-only NLA + 2FA. |
| E-mail filtering | Block .exe, .js, .vbs attachments at the mail gateway and flag mis-spelled COVID-19 campaign keywords. |
| User awareness | Quarterly phishing simulations focused on pandemic-themed lures. |

2. Removal (Clean-up After Encryption)

  1. Isolate the host from the network (physically unplug Wi-Fi/Ethernet).
  2. Safely reboot → Safe Mode with Networking.
  3. Identify and kill the primary .exe payload (often winlogson.exe, svch0st.exe, or a spawned explorer.exe child).
  4. Use Microsoft Defender Offline or a bootable AV rescue disk to remove registry Run keys:
    – HKCU\Software\Microsoft\Windows\CurrentVersion\Run → Value: WindowsSys32Log pointing to %Temp%\daemon.exe
  5. Delete residual persistence files in %AppData%\Roaming\CryptoIdent\ and the ransom note README_COV19_DECRYPT.TXT.
  6. Patch and fully update Windows before re-joining to the domain or internet.

3. File Decryption & Recovery

  • Free Decryptor? NO publicly released decryptor exists for versions shipped with RSA-2048 + ChaCha20 cryptography.
  • Recovery paths:
    Offline backups: Restore from immutable, offline, and ransomware-free backups (Veeam Cloud Connect, Windows Server 2019–2022 “immutable bit”).
    Shadow Copies: Covid ransomware deletes VSS via vssadmin delete shadows /all /quiet, but double-check vssadmin list shadows—sometimes VSS survives on mapped USB drives.
    No Payment Recommendation: Do not pay. Transaction IDs posted by victims show the actor frequently ceases communication after payment.
  • Tool Chest:
    – Kaspersky RakhniDecryptor v3.1 – updated as of Nov-2023, does not work against .covid
    – C2-tracker dataset (covid_ti_mesh.exe SHA256:a32…) – reference only for IR teams to monitor bitcoin wallets.

4. Other Critical Information

  • Unique Characteristics:
    – Emulates UI of early Coronavirus dashboard apps to trick users into manually granting admin consent to UAC.
    – Pre-quits itself if it detects Russian keyboard layout (GetKeyboardLayout(0)==0x0419) using geo-fencing that effectively limits Russian-language countries (likely developer origin).
  • Broader Impact:
    – Over 180,000 endpoints in 42 countries affected in the initial wave.
    – Multiple hospitals (especially in Europe) suffered service disruptions while redirecting manpower to already overwhelmed COVID-19 wards.
    – Recorded as precursor to later “.pandemic 2.0” variant which adopted worm-like propagation via zerologon (CVE-2020-1472).

Key Take-away: Surgical vigilance around pandemic-themed lures, robust backup hygiene, and immediate incident response containment remain the only reliable defenses against .covid ransomware.