covm

[Content by Gemini 2.5]

Detailed Community Resource: The covm Ransomware (Dharma/Phobos Sub-variant)

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Exact File Extension: .covm
  • Renaming Convention:
    Each encrypted file is renamed twice:
  1. Original file loses its extension.
  2. A set of labels is appended in the following sequence:
    • Victim’s unique hexadecimal ID (id[8-hex-digits], id[16-hex-digits], or id[32-char-in-CRC-like-format])
    • Affiliate / campaign ID (if present) embedded in square brackets
    • Finally, the static extension .covm
      Example:
      Quarterly-Budget.xlsxQuarterly-Budget.xlsx.id[42FA7E18-2563].[[email protected]].covm

2. Detection & Outbreak Timeline

  • First Wild Sighting: 23 September 2021
  • Acceleration Period: November 2021–December 2021 when affiliate campaigns leveraged holidays and year-end tax reporting spikes.
  • Current Status: Still circulating as of mid-2024 through “as-a-Service” Phobos affiliate channels.

3. Primary Attack Vectors

| Vector | Details & Practical Examples |
|—|—|
| RDP Brute-force / Credential Stuffing | Attackers scan TCP:3389 on exposed hosts, use leaked credentials from prior breaches, then disable firewall rules (netsh advfirewall set allprofiles state off). |
| Phishing attachments | Malicious ZIP → LNK posing as a PDF → PowerShell stager that downloads the .covm loader. |
| Abuse of living-off-the-land tools | Deployment chain often relies on PowerShell, wmic.exe, or bitsadmin.exe to bypass AV. |
| Software vulnerability exploits (secondary) | Post-infection: uses known EOL software (e.g., Adobe ColdFusion) on un-patched internal hosts to move laterally, but delivery is overwhelmingly RDP/phishing. |

Remediation & Recovery Strategies:

1. Prevention

  1. Kill RDP surface
    • Disable RDP at the gateway or restrict to VPN+2FA.
    • Change default 3389/TCP to non-standard ports + IP whitelists.
    • Enforce network-level authentication (NLA) and use Group Policy to log off brute-force IPs after five failed attempts in 30 minutes.
  2. Credential hygiene
    • Impose 15-character, unique, random passwords via password manager.
    • Rotate local admin and RDP credentials quarterly.
    • Monitor for dark-web credential leakage and force resets.
  3. Patch & Config stack
    • Roll out cumulative Windows Updates and flash any end-of-life software.
    • Deploy OS-level Controlled Folder Access (Windows Defender ASR) and set it to disallow script execution inside Downloads, Temp, and email-attachment folders.
    • Maintain immutable off-site backups (Veeam with hardened repository, Linux-repo air-gap).
  4. Security stack hardening
    • Enable Microsoft Defender real-time + cloud-delivered protection (Cloud EDR).
    • Deploy a DNS-layer filter (NextDNS, Quad9) to sinkhole Dharma C2s.
    • Enforce Tamper Protection so AV can’t be disabled via reg add or bcedit.

2. Removal (Step-by-Step for IT Admins)

  1. Isolate
    • Unplug affected machine(s) from LAN or force down-network via firewall rule.
    • Shut down mapped drives to surrender-encrypted servers.
  2. Boot alternate OS
    • Use Windows PE or Linux Live USB to power-on the host without launching Windows; this prevents re-encryption.
  3. Purge persistence
    • Delete identified loader EXE from:
    %APPDATA%\Local\Temp\, C:\Users\Public\, C:\ProgramData\GenericName32.exe
    • Remove malicious Run keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKCU\…\Run
    • Remove scheduled task(s) created under Microsoft\Windows or an arbitrary GUID folder; check for /tn \Microsoft\Windows\* pointing to the same EXE.
  4. Hash verification
    • Cross-check the dropped EXE’s SHA256 with VirusTotal; typical covm sample hashes end in E39BC230D1….
    • Ensure additional copies (.bat, .ps1, .lnk) are wiped from profile directories.
  5. AV scan
    • Run Microsoft Defender Offline Scan or boot-level scan with an alternate vendor (ESET, Kaspersky Rescue Disk).
  6. Final reboot & patching
    • Bring network adapter back online only after patching RDP exposure and credential reset.

3. File Decryption & Recovery

  • Recovery Feasibility:
    .covm utilizes AES-256 with RSA-1024 asymmetric encryption for each victim. Decryption without the private key held by the threat actors is not mathematically feasible. Other researchers have confirmed that file pairs (plaintext+ciphertext) are insufficient; only file-scrambling proof-of-concepts do not work on the full gamut of file types.
  • Free Tool: Kaspersky’s Rakhni Decryptor & Emsisoft’s Dharma Decryptor cannot decrypt .covm because the operators do not mistakenly reuse keys.
  • Practical Options:
  1. Restore from backups (preferred) – restore Veeam, Unitrends, or Azure Site Recovery snapshots from a timestamp before encryption.
  2. Shadow Copy check – if the attacker missed vssadmin delete shadows, use ShadowExplorer to retrieve versions:
    vssadmin list shadows /for=C: followed by robocopy to copy shadow-copies to a new disk.
  3. File-repair via master file – corrupt databases (*.accdb, *.pst) may have residual unencrypted blocks; specialized forensics (Stellar Phoenix, R-Studio) sometimes recover fragments.
  • Essential Patches & Tools:
    • Microsoft March 2022 cumulative updates – for RCE Microsoft Defender exclusions bypass.
    • ESET Internet Security 17.0 – detects Phobos.Ransom.36.EC.
    • Defnaiser (freeware) – adds 2FA log-in to legacy RDP servers via RDP-VPN bridge.
    • Windows Sysinternals “TCPView” and “Process Explorer” for live forensics and auxiliary loaders.

4. Other Critical Information

  • Unique Characteristics:
    – Prefers targeting Small-medium accounting firms & county governments because their RDP is frequently exposed for remote QuickBooks access.
    – Uses “dead-man switch” hibernation: if it cannot reach its C2 pool (Tor/onion), the dropper sleeps 30 min then retries, allowing for more logs to be flushed.
    – Leaves ransom note info.hta + info.txt on the desktop and in every impacted folder. Email address pattern is ALWAYS [campaign]@cock.li (e.g., [email protected]) plus an optional protonmail backup.
  • Broader Impact Example Cases:
    – August 2022: a 300-employee California HVAC company lost 3.2 TB; encrypted SQL financials + customer CAD drawings. Off-site backups restored in 48 h, total downtime cost = $87 K (ransom demand was 20 BTC).
    – December 2023: a Tennessee county clerk’s office paid $450 K after booking system + land-deeds database encrypted; ransomware spread from single QuickBooks server to 12 VMs via RDP pass-the-hash. Their insurance claim was denied due to unpatched FortiGate appliance.

Key Takeaway: .covm is a financially motivated affiliate strain, not a nation-state tool. Hardening RDP and maintaining immutable, offline backups remain the two most effective tactics.