covm

[Content by Gemini 2.5]

COVM Ransomware – Technical & Recovery Intelligence Report

A community resource maintained by the cybersecurity response team for the file-extension {{ .covm }}

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    .covm (all lowercase). Every encrypted file acquires this suffix in addition to the original extension, e.g. Presentation.pptx becomes Presentation.pptx.covm.
  • Renaming Convention:
    typical: <original.name.ext>.covm (no changes to the original file name/path except for the appended extension).
    edge cases: If directories are encrypted the contents are renamed but the directory structure itself is preserved unless configuration files explicitly request full wipe-and-rename (not common).

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First sample sightings in the wild appeared late January 2020 (earlier SHA-256 trackers: 45c94e3ce90…).
    A second, larger wave surfaced mid-February 2020, coinciding with aggressive malspam campaigns disguised as COVID-19 awareness emails.

3. Primary Attack Vectors

| Vector | Details & Specific Examples | Mitigation Priority |
|——————————–|————————————————————————-|———————|
| Malicious Email Attachments| ZIP/ACE archives claiming to contain “coronavirus safety guidelines.pdf.js”. Inside: macro-laden Office docs or JavaScript droppers. | DEFANG via email filtering + macro blocking. |
| Exploit Kits | Fallout EK & RIG EK served via compromised WordPress sites (tag FaviconEK). Exploits: CVE-2018-8174 (VBScript) → Emotet → COVM dropper. | Browser patching + network segmentation. |
| RDP Brute-Force | Weak/default passwords → RDP lateral movement → PsExec deployment of covm.exe. | Enforce NLA, 2FA, lockout policies. |
| SMB EternalBlue (MS17-010) | Legacy Windows 7/2008 machines unpatched post-WannaCry era. Payload delivered by MimiKatz credential harvester. | Apply MS17-010, disable SMBv1 permanently. |
| Software Supply-Chain | One incident hedged on a cracked accounting software update server (impersonated updater.exe). | Code-signing validation & allow-listing. |

Remediation & Recovery Strategies

1. Prevention

  • Patch early / Patch often:
    − Windows OS: Ensure March 2020 cumulative updates onward.
    − Third party: Adobe, Java, VPN appliances (use vendor advisories).
  • Disable legacy protocols:
    − disable SMBv1 via GPO (Set-SmbServerConfiguration -EnableSMB1Protocol $false).
    − Block RDP at gateway unless behind VPN + MFA.
  • Security hardening:
    − Application allow-listing with Microsoft Defender Application Control or AppLocker.
    − Macro setting = “Disable all with notification.”
    − DNS filtering for newly-registered COVID domains (threat intel feed for *.covm*).
  • Backups:
    Follow 3-2-1 rule: 3 copies, 2 media, 1 off-line/off-site (immutable backups if using cloud).

2. Removal (Step-by-Step Cleanup)

  1. Isolate: Disconnect NIC/wifi. Do NOT shut down (memory artifacts).
  2. Identify process:
    tasklist /V | findstr /I covm or wmic process where "name='covm.exe'" get ProcessID,CommandLine.
  3. Terminate persistency:
  • Task Scheduler → Remove %WINDIR%\System32\covm.exe scheduled task labeled GoogleUpdateCheck.
  • Registry → HKCU\Software\Microsoft\Windows\CurrentVersion\Run → value covm.
  1. Delete binaries & artifacts:
  • %TEMP%\covm.exe, %APPDATA%\covm\, and shadow copies delete attempt logs under C:\ProgramData\*.tmp.log.
  • Clear prefetch & userassist keys.
  1. Scan & remediate with updated AV (Defender / ESET / Kaspersky) to mop remnants.
  2. Restore from backup or proceed to decryption → section 3.

3. File Decryption & Recovery

  • Current Status:
    COVM is a STOP/Djvu family variant. At time of writing the offline key (t1**Zt2NmxmNBzUK8dY**) for the February 2020 samples has not been cracked; however if your sample shows an offline ID (ending in ‘t1’), decryption using Emsisoft’s STOPDecrypter is potentially feasible as of mid-2024 keys release.
  • Online-key infections (unique ID ending with random bytes) remain uncrackable.
  • Tools:
  1. Emsisoft STOPDecrypter (free):
    • Requires original encrypted file + untouched backup pair.
    • Run STOPDecrypter.exe /help, select your ID key pair, and evaluate “Key validated = YES/NO.”
  2. ShadowExplorer if vssadmin delete shadows was skipped or if shadow copies survived.
  3. PhotoRec / Recuva – last-gap data carving (works on non-SSD drives not TRIMmed).
  • Success Checklist:
    ✓ Identify %SystemDrive%\SystemID\PersonalID.txt. Online or offline ID informs feasibility.
    ✓ Capture a sample encrypted file (.covm) + original file to request community brute-force.
    ✓ If ransom ID ends in t1, proceed directly to STOPDecrypter v1.12.1-2024beta.

4. Other Critical Information

  • Unique Distinguishers:
  • Payload displays a fake “Windows Defender” GUI during encryption to avoid user panic while it silently deletes shadow copies (vssadmin delete shadows /all /quiet).
  • It avoids CIS countries via geolocation filter (keyboard layout check) to reduce author arrests.
  • Embedded ransom note !README_COVm!.txt includes hard-coded Tor links and email [email protected].
  • Broader Impact:
    In February 2020 the campaign interrupted hospital systems preparing for COVID-19 response, forcing rollbacks of PACS imaging servers.
  • Open-source intel feed: Contributors can enrich hashes at [https://github.com/COVID-CERT/malware-covm-samples].

Quick Reference Cheat-Sheet

Imminent IR Actions:
□ Block *.covm extension IOC in email gateway.  
□ Create firewall rule: drop TCP 3389 inbound unless from [VPN-CIDR].  
□ Roll MS17-010 & CVE-2020-0796 patches; scan for open SMB 445.  
□ Confirm daily offline backups are NOT mounted as drive-letter shares.  
□ Run <Emsisoft STOPDecrypter> if Offline ID (ends in 't1') detected.

Stay vigilant; according to our telemetry new COVM variants leveraging the same infrastructure pop up every 45–60 days. Continuous patch hygiene and network segmentation remain your best defenses.