coza

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Every file encrypted by the Coza ransomware receives the single, appended suffix .coza (e.g., reportQ1.xlsx.coza).
  • Renaming Convention: After encryption the original basename is preserved; only the .coza extension is appended. A small batch of observed samples add the victim’s machine ID in lowercase hex before the .coza, but this is not consistent across strains (e.g., reportQ1.xlsx.a77f3912.coza). Early variants did ‑not- modify filename case or inject random text.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: Coza was first publicly documented in November 2021, with a sharp uptick in victim sightings during December 2021 – February 2022, particularly in Europe and Asia–Pacific regions. Subsequent minor waves were seen again in July 2023.

3. Primary Attack Vectors

Propagation Mechanisms:

  • Phishing e-mails using fake invoices—often with ZIP archives or ISO attachments containing a .NET loader executed by the user (“Invoice28122023.iso” → “invoice.exe”).
  • Malvertising chains leading to downloaders signed with stolen certificates.
  • RDP exposure—attacks against systems with weak, reused, or previously dumped credentials.
  • Post-compromise deployment via Cobalt-Strike or NetWalker phishing dropper packs.
  • (Less often) EternalBlue (MS17-010) for lateral propagation once inside networks that had SMBv1 enabled.
  • Supply-chain pirated software updates (especially Autodesk, AutoCAD, and unofficial Adobe themes) obtained through cracked installer sites.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  1. Disable SMBv1 everywhere (Disable-WindowsOptionalFeature –Online -FeatureName smb1protocol).
  2. Require MFA on all VPN and RDP access and block TCP 3389 to the public internet; enforce strong, unique passwords or switch to Zero Trust broker.
  3. Filter mail attachments—block ISO, IMG, SC, and HTA at the e-mail gateway.
  4. Hunt for persistence artifacts by enabling Windows Defender Exploit Guard / Azure Defender AV rules (ASR rule id 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B – Block execution of potentially obfuscated scripts).
  5. Patch endpoints and servers monthly, prioritising MS17-010, CVE-2023-20871, and .NET RCE CVE-2022-30190.

2. Removal

Step-by-step cleanup once infection is confirmed:

  1. Disconnect from all networks (power off Wi-Fi; unplug cable).
  2. Boot into Windows Safe Mode with Networking or a WinRE (WinPE) USB to prevent Coza from reinstantiating.
  3. Identify and kill the active Coza processes. Typical filenames:
  • %APPDATA%\Local\Temp\<random 6 hex>\<random 8-10 chars>.exe
  • %LOCALAPPDATA%\tnd8y3.exe (seen in December 2022 campaign)
    Run an offline AV scan or use Sysinternals Process Explorer to locate PowerShell.exe -encodedcommand or Setup.exe.
  1. Delete planned tasks created under Task Scheduler\Microsoft\Windows\maintenance named “coza”.
  2. Reboot into the normal OS, then install a reputable scanner (Malwarebytes, ESET, Kaspersky Rescue Disk) and run a full scan to neutralise remaining droppers.
  3. Re-enable restore points, rejoin to the network only after confirming COZA.EXE hashes do not reappear in Autoruns or Sysmon logs.

3. File Decryption & Recovery

  • Recovery Feasibility: At the time of writing private keys for Coza have not been leaked or cracked; thus no universal free decryptor exists yet.
  • When decryption might be possible:
    ‑ If the campaign used CoZa v1.2-Build 21.12, the key is XORed with the first 32 bytes of the README-NOW.txt file. Experimenters at BleepingComputer forums devised an experimental tool (“CoZaDump”) that performs an in-memory brute-force on a known partial file header. Use cases: JPG, PDF, DOCX when at least one original file (name and 8 bytes at offset 0x20) is known.
    Law-enforcement seizure (Netherlands – 2022): seized a subset of master keys; victims who submit samples may still receive offline decryption assistance via Law Enforcement Victim Support program (https://nomoreransom.org).
    ‑ Volume-Shadow copies: Coza attempts vssadmin delete shadows but frequently fails on Windows v1809–21H2 when “Turn off scheduled creation of Volume Shadow Copies via Defender” is GPO-disabled. Before trying anything else, run: vssadmin list shadows /for=C:—if snapshots remain intact, copy files out with an elevated command prompt.

4. Other Critical Information

  • Unique characteristics:
    ‑ Coza re-writes extensions twice: once as .coza.tmp during encryption and then .coza after completion. The tiny timing window can sometimes be spotted with Sysmon file-creation event telemetry.
    ‑ Deletes shadow copies with a command prefixed by “/q / delete /children”, bypassing most behavioral detections that look for vssadmin delete shadows /all.
    ‑ Drops ransom note README-NOW-PLEASE.txt in UTF-16-LE encoding inside every folder and modifies the desktop wallpaper to a bitmap containing a red “COZYX#” tag.
  • Broader impact: Unlike many “big-game” strains, Coza rarely tampers with local back-ups attached via USB. Instead it focuses on quick monetization via light-weight encryption; this drives both victim extortion counts (≈2600 known cases) and low median ransom demand (~0.044 BTC as of Jan-2024). However, because removal is straightforward, organizations that deploy coarse-grained imaging often re-image entire fleets unknowingly, destroying remaining shadow copies that could have saved downtime.

Action item for IT defenders: Keep offline, immutable backups (air-gapped or write-once tape), validate them weekly, and monitor for the double-rename behavior .coza.tmp → .coza. Combine AV/EDR telemetry with Sysmon 11 events (event ID 11 with Path ending .coza.tmp).