FTCODE Ransomware Returns: The Nightmare Continues…


Malware possesses the habit of making returns…rising from the dead, making even a horror villain blush!

The most recent in that series is FTCODE – the long lost ransomware deemed dead in 2013, and regained its life in 2019; this problematic ransomware is now, tending towards more creative ways to exploit with an upgraded version! This time, the team behind this “A-List celebrity”, which always had some amazingly unique features, is focusing more on email password stealing, and that is something more for us to worry about.

Even though there is a claim that the new version of FTCODE is specifically targeted towards Italian-speaking Windows users, it is not yet apparent how many are targeted as part of the recent campaign. So, almost everyone – a Fortune 500 company to the government department – can be counted as a possible target for those operating ransomware strains.

That being the case, it is of greater importance for us to stay aware of this malware –  what it is, and what more is there in the latest version of FTCODE. To help you out with this, we are here with all the required details! 

The FTCODE Tale: The Initial DiscoveryThe-FTCODE-Tale-The-Initial-Discovery

As cited earlier, it was in 2013 when SophosLabs announced infections by ransomware. The targets of that assault were users from Russia. What made the attack uncommon was that it used Windows PowerShell to do the file encryption.

Make a note: PowerShell was developed by Windows for administrators to automate specific tasks on a Windows network.

The way the deadly ransomware infected the machine was even more interesting!

The malware arrived as spam emails containing HTML Application (HTA) file, which itself held two encoded strings – first of these checked if a version of PowerShell was installed on the victim’s machine. If not, the malware would itself download PowerShell and install it. Once concluded, the second string would perform file encryption.

Following this, a ransom note in Russian, instructing the victim on how to pay the ransom and decode the files, was dropped.

But, very soon, the researchers determined that victims could decrypt their files smoothly without having to pay, which led to the failure of the first FTCODE campaign. 

The FTCODE Tale: It ReturnsThe-FTCODE-Tale-It-Returns

The story didn’t end there…

FTCODE, like any other villain, never lied down and died! Even if it took six years for a comeback, it arrived a bit advanced. 

Targeting Italian users, FTCODE campaign broadcasted spam emails that carried malicious documents, through a service that delivered invoices, making it harder for the viewers to identify if it was spam or not. Once the attachment is opened, a notification demanding to disable the “Protected View” popped up. When the victim had done this, the malicious macro runs a PowerShell process, and the machine would get infected. While the ransomware encrypts files, JasperLoader – a trojan horse would automatically get downloaded, building a backdoor for attackers to release other malware strains onto the system.

Subsequently, a ransom note is dropped, commanding to pay $500 US; however, analysts found a chance of getting encryption keys by monitoring traffic to the server of attackers, and decryption completed without paying the ransom – again! 

Finally, The Upgraded Version!Finally,-The-Upgraded-Version

The real villain was back with even more features, in just a few months wait!

This latest version of FTCODE – version 1117.1, like previous ones, depends on spam emails for distribution, and again JasperLoader is found to be dropped along with it.

But, this time, another surprise is in store!

The recent form comprises an info stealer that allows the malware to harvest stored credentials from renowned web browsers and email clients, including Internet Explorer, Mozilla Firefox, Mozilla Thunderbird, Google Chrome, and Microsoft Outlook. These are then forwarded to the command and control server of the attacker.

Hackers demanded the same $500 US ransom amount to deliver the decrypter; however, there are reports from individuals that many of them who paid the ransom had not received the decryptor.   

What Does This Show?

The FTCODE ransomware campaign is quickly evolving. Due to the versatile scripting language used for its development, it enables threat actors to add or remove features or make tweaks much easily.

So, the only way prevailing to avoid being victims of FTCODE is to adapt reliable preventative measures to stay ahead of all possible vulnerabilities that can be exploited by hackers, and building the capacity to restore files soon after the cyberattack occurs.

But, how can you accomplish that?

IT security experts at Cybernetics Global Intelligence (CGI) an Aussie cybersecurity company, can help you with that! Get in touch at 1300 292 376 or drop a mail to Contact@cybernetic-gi.com, for further assistance.

Post a Comment