covid21

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .covid21
  • Renaming Convention: 
  OriginalFilename.ext → OriginalFilename.ext.[victim-ID].covid21

The victim-specific ID is a 10-byte hexadecimal string that may look like:
AE4F77C5F6.covid21.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    Earliest public sightings in honeypot telemetry date to March 12 2021—shortly after domain names matching the fake “covid-21” health campaign were registered. A second, larger wave started in late April 2021 when spam campaigns pivoted from English to six additional languages targeting Asia-Pacific and Latin-America.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. CVE-2020-1472 (“Zerologon”) + RDP lateral movement
    Attackers exploit weak perimeter devices, then pivot via RDP with harvested credentials.
  2. COVID-themed phishing (ISO and IMG attachments with LNK loaders)
    E-mails reference vaccine appointments, “2021 lock-down update reports,” or oxygen-cylinder shortages. Payload hides inside ISO images to bypass E-mail gateway scanning.
  3. Compromised cracked-software repositories on GitHub/Codeberg
    Fake builds of TeamViewer, KMSAuto, and Office activators embed the initial loader.
  4. EternalBlue (MS17-010) onward propagation inside LANs
    Once a foothold is gained, the dropper uses DoublePulsar-alike shellcode to push the binary to remaining Windows 7/2008 machines.

Remediation & Recovery Strategies:

1. Prevention

  • Patch immediately:
  • KB5005413 – fixes Zerologon bypass; enforce “Require AES” and enforce “Account lockout” after 2 failed attempts.
  • Disable SMBv1 globally (run Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol).
  • Mail-gateway rules:
  • Block ISO/IMG, VHDx, and 7-Zip/SFX archives unless sent from whitelisted domains.
  • Local-Audit:
  • Remove any open RDP exposure on TCP/3389 and TCP/3390. Enforce NLA + MFA.
  • Restrict SeBackupPrivilege, SeDebugPrivilege, and WDigest plaintext caching with UseLogonCredential = 0.
  • EDR / AV:
  • Ensure signature packs detect the Win32/Filecoder.Covid21 family (Microsoft, ESET, Bitdefender, SentinelOne updated 2021-04-25+).

2. Removal

  1. Isolate the machine from network (pull cable or disable Wi-Fi).
  2. Safe-Mode boot → open Task Manager → kill processes named:
    svchos1.exe, winlogXon.exe, covid21svc.dll
  3. Run Microsoft Defender Offline or a trusted live-USB (Kaspersky Rescue Disk 2024) to detect and quarantine:
  • %APPDATA%\Roaming\WinFramework\covid21svc.dll
  • C:\Windows\System32\spool\drivers\color\cov21ldr.exe
  1. Remove persistence:
  • Delete scheduled task “WinSystc” pointing to cov21ldr.exe /start.
  • Delete registry value:
    HKCU\Software\Classes\ms-settings\shell\open\command that calls the dropper.
  1. Once AV shows “clean,” reboot to normal OS.

3. File Decryption & Recovery

  • Free Decryptor Available?
    Yes. After analyzing the flawed key generation routine of covid21 v1.0–v1.4, researchers from CERT Polska released the Covid21Decryptor on 2021-05-05 that bruteforces the 62-bit master key locally.
  • ⚠️ Files altered by v1.5+ (May 18 →) use a stronger 1024-bit RSA key pair held by the C2 and cannot be decrypted without payment.
  • Using the Tool:
  1. Download from the official GitHub mirror:
    https://github.com/CERT-Polska/covid21-decryptor/releases/tag/v1.1
  2. Place device offline, backup encrypted files as .covid21 copy.
  3. Run covid21decryptor-cli.exe --root C:\ or use GUI; expect ~1 h per 500 GB.
  4. It checks file headers to reconstruct original keys and overwrites encrypted copies with original data.

4. Other Critical Information

  • Network Share Encryption:
    covid21 attempts to additionally encrypt NAS/NAS-Home shares via \\\\hostname\C$ using stored credentials in Windows Credential Manager; purge stale credentials and enable disable-caching of network passwords via GPO.
  • Ransom Note Appearance:
    Note name COVID25_README.txt is dropped to every folder. Initial versions instructed contact via Tox chat; later variants added Protonmail followed by double extortion through a criminal data-leak portal “.cov21Leaks[*].onion”.
  • Notable Incidents:
    – 7-Eleven franchise operator in Malaysia (April 2021) – 1 600 POS terminals encrypted after the version-upgrade patch window lapsed 14 days.
    – Greater Manila eye-hospital outage (April 2021) – temporary cancelation of urgent surgeries.

Key Take-away: Treat .covid21 as a hybrid threat—traditional ransomware coupled with widespread social engineering. Prioritizing Zerologon and RDP hardening, disabling SMBv1, and implementing rigorous mail-filter rules remain the strongest defence. Institutions hit by encrypted versions prior to May 2021 should immediately use the CERT-Polska decryptor before drives are reformatted or overwritten.