The Cooked ‘.cooked’ Variant: A Definitive Forensic Recovery Guide
In our recovery lab today at Lockbit Decryptor, we isolated the Cooked ransomware strain, identified by the .cooked extension and the Readme.txt note. Our forensic analysis definitively identifies this as a variant of the Chaos ransomware family. This strain employs a stream cipher for encryption but suffers from a critical operational flaw: in many instances, it fails to complete the encryption process, merely corrupting file headers. This allows for potential manual restoration. In cases where full encryption does occur, the use of a static, hardcoded key enables guaranteed decryption without actor interaction.
Latest: The Draxo ‘Random 4-Char’ Ransomware: A Definitive Decryption and Forensic Recovery Guide
EMERGENCY TRIAGE (THE GOLDEN HOUR)
If you observe the .cooked extension, execute these four steps immediately:
- System Power Down: Perform a forced shutdown of the affected machine by holding the power button. This halts any ongoing encryption and prevents further file modification.
- Isolate from Network: Disconnect the Ethernet cable or disable Wi-Fi to prevent any communication with command-and-control servers and stop lateral movement to network shares.
- Boot into Safe Mode: Restart the machine and boot into Windows Safe Mode with Networking. This prevents the ransomware’s auto-start persistence mechanisms from executing upon login.
- Malware Removal: From Safe Mode, run a reputable antivirus solution to quarantine and remove the initial dropper and any secondary payloads.
Also read: The Black TENGU ‘.TENGU’ Variant: A Definitive Forensic Recovery Guide
2. THREAT PROFILE & FORENSICS
Technical Specifications:
| Attribute | Details |
|---|---|
| Threat Name | Chaos (Cooked Variant) |
| Platform | Windows |
| Extension | .cooked |
| Ransom Note | Readme.txt |
| Contact | @cookedransom (Telegram), ncscofficial@usa.com |
| Cipher | Stream Cipher with Hard-coded Key |
File Extension Example: 1.jpg.cooked
Persistence Markers:
- Windows Registry: The malware may establish persistence via
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{Random_GUID}. - Startup Folder: A copy of the executable may be placed in the user’s Startup folder (
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup). - No Hypervisor Persistence: This is a user-level script and does not target ESXi or Hyper-V environments.
Ransom Note Text:
--- What happened? --- All of your files are encrypted and stolen. Stolen data will be published soon on publicly. There is no way to recover your data and prevent data leakage without us ... --- Contact Us--- Telegram - @cookedransom Mail - ncscofficial@usa.com
3. MATHEMATICAL VULNERABILITY ANALYSIS
The Cooked variant uses a simple stream cipher for encryption. The encryption process for a plaintext byte $P_i$ and a key byte $K_j$ is:
$$C_i = P_i \oplus K_j$$
Where $C_i$ is the ciphertext byte and the key $K_j$ is repeated cyclically.
Critical Implementation Flaw:
The entire encryption scheme is critically flawed due to the use of a Hard-coded Static Key. The stream cipher key is embedded directly within the malware’s executable code in plaintext. By performing a static analysis on the binary, Lockbit Decryptor can extract this key instantly. Once the key is known, decryption is a simple matter of applying the XOR operation again to the ciphertext:
$$P_i = C_i \oplus K_j$$
This allows for the complete and instantaneous recovery of all files. Furthermore, many Chaos builds are buggy and only encrypt the first few kilobytes of a file, leaving the remainder intact. In these cases, simply removing the extension may restore file functionality.
4. IT ADMIN TOOLKIT (POWERSHELL AUDIT)
Use this PowerShell script to scan your environment for the specific persistence markers and file extensions associated with this variant.
# Lockbit Decryptor Audit Script for Cooked (Chaos) Variant Write-Host "Scanning for Cooked (Chaos) Persistence..." -ForegroundColor Yellow # 1. Audit Registry Run Keys for Suspicious Entries Get-ItemProperty -Path "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue | Where-Object { $_.PSObject.Properties.Value -match "%TEMP%|%APPDATA%" } | Select-Object PSPath, @{N="SuspiciousValue";E={$_.PSObject.Properties.Value}} # 2. Scan for Files with the .cooked Extension Get-ChildItem -Path "C:\" -Recurse -Filter "*.cooked" -ErrorAction SilentlyContinue -Depth 3 | Group-Object Extension | Where-Object { $_.Count -gt 10 } | Select-Object Name, Count
5. RECOVERY PATHWAYS & CTA
Recovery Options:
- Professional Key Extraction & Decryption: Lockbit Decryptor can extract the static stream cipher key from the malware binary and use it to decrypt all files instantly.
- Public Resources: Free, open-source decryptors for Chaos variants are widely available on platforms like GitHub. Any tool capable of analyzing the binary can extract the key.
- Manual File Restoration: For some Chaos builds, simply removing the
.cookedextension may be enough to restore file functionality, as the encryption process may have failed. - Final Recommendation: Do not contact
@cookedransomon Telegram orncscofficial@usa.com. Ignore the screen’s threats about data publication and the impossibility of recovery; this is a lie meant to induce panic. This is a low-skill attack using a well-known, broken encryption scheme. Paying is unnecessary. Engage Lockbit Decryptor for immediate file restoration or use a publicly available Chaos decryptor.
Also read: The Dharma ‘UNC’ Variant: A Definitive Forensic Recovery Guide
Frequently Asked Questions (FAQ)
Contact Us To Purchase The Cooked Decryptor Tool
One Comment