Thursday, December 5, 2024
HomeRansomwareFTCODE Ransomware Attack Windows To Encrypt Files & Steals Stored Login Credentials...

FTCODE Ransomware Attack Windows To Encrypt Files & Steals Stored Login Credentials From Browsers

Published on

SIEM as a Service

Researchers discovered a new wave of FTCODE ransomware campaign that steal browsers login credentials and Encrypt files in Windows systems.

FTCODE ransomware was first observed in 2013, it uses the Windows PowerShell program to perform file encryption.

The ransomware resurfaced again starting from last year September, according to Certego analysis of the FTCODE ransomware, it is still in active development.

- Advertisement - SIEM as a Service

Threat actors behind the ransomware strain use weaponized word documents to deliver the ransomware. If the victim opens the documents and disables protected view then it triggers the execution of the malicious macro.

Once executed the macro runs a PowerShell process to download a piece of Powershell code which is FTCODE and save the request only in memory, in an attempt to avoid antivirus detection.

FTCODE Ransomware New Version

Researchers from Zscaler observed a new version of FTCODE ransomware 1117.1, that contains different infection method and password-stealing capabilities.

The ransomware distributed through spam Emails, and the macro documents containing links to VBScripts which further downloads the PowerShell script known as FTCODE ransomware.

To trick the users the script first downloads a decoy document, and in the background, it downloads and runs the run the ransomware.

FTCODE ensures persistence by creating a shortcut file called windowsIndexingService.lnk in the victim’s startup folder, so it will get executed every time system boots.

Before encryption it checks in all drives to see at least 50kb of free space is left, here are the extensions it encrypts.

FTCODE Ransomware
File Extensions

Once the encryption completed it drops a ransom note “READ_ME_NOW.htm” in the directory of the encrypted files.

Encryption note

The ransom note directs a Tor website for victims to make the payment, the Tor site contains a Bitcoin address and asks victim’s to pay $500 to recover files.

FTCODE Ransomware
payment Website

Some users reported that “someone paid the ransom and did not get the decryptor.”

Password Stealer

The new version of the ransomware includes password-stealing capability, which is not present with the older versions.

It steals the login credentials from browsers and email clients:

  • Internet Explorer
  • Mozilla Firefox
  • Mozilla Thunderbird
  • Google Chrome
  • Microsoft Outlook

FTCODE Ransomware is evolving, in a short period, multiple versions were spotted. At the moment there is no decryptor available for the ransomware strain.

IOCs:

Md5

  • d597ea78067725ae05a3432a9088caae
  • c8a214f432fc9d74c913c02e7918fc0
  • f96253923e833362ecac97729d528f8c
  • cc0f64afa3101809b549cc5630bbd948
  • 328ce454698307f976baa909e5c646c7
  • 71a8d8c0543a99b8791e1cfaeeeb9211
  • f0aa45bb9dd09cfac9d93427a8f5c72c
  • d6da191bfc5966dd4262376603d4e8c1
  • cc5946ce893ff37ace8de210923467a2
  • 7f5bb4529b95a872a916cc24b155c4cc
  • edd5fbe846fa51f3b555185627d0d6c5
  • a2e88f9486cc838eae038a8ba32352f3
  • eab63ee2434417bc46466df07dc6b5b5
  • fd46c05b99d00e11d34b93eae2c7ff2b
  • 98d2;221445c2c8528cef06e4ef3c9e36

Also Read: Ransomware Attack Response and Mitigation Checklist

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Researchers Detailed New Exfiltration Techniques Used By Ransomware Groups

Ransomware groups and state-sponsored actors increasingly exploit data exfiltration to maximize extortion and intelligence...

Helldown Ransomware Attacking Windows And Linux Servers Evading Detection

Helldown Ransomware, a sophisticated cyber threat, actively targets critical industries worldwide by leveraging advanced...

Researchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec,...