Researchers discovered a new wave of FTCODE ransomware campaign that steal browsers login credentials and Encrypt files in Windows systems.
FTCODE ransomware was first observed in 2013, it uses the Windows PowerShell program to perform file encryption.
The ransomware resurfaced again starting from last year September, according to Certego analysis of the FTCODE ransomware, it is still in active development.
Threat actors behind the ransomware strain use weaponized word documents to deliver the ransomware. If the victim opens the documents and disables protected view then it triggers the execution of the malicious macro.
Once executed the macro runs a PowerShell process to download a piece of Powershell code which is FTCODE and save the request only in memory, in an attempt to avoid antivirus detection.
Researchers from Zscaler observed a new version of FTCODE ransomware 1117.1, that contains different infection method and password-stealing capabilities.
The ransomware distributed through spam Emails, and the macro documents containing links to VBScripts which further downloads the PowerShell script known as FTCODE ransomware.
To trick the users the script first downloads a decoy document, and in the background, it downloads and runs the run the ransomware.
FTCODE ensures persistence by creating a shortcut file called windowsIndexingService.lnk in the victim’s startup folder, so it will get executed every time system boots.
Before encryption it checks in all drives to see at least 50kb of free space is left, here are the extensions it encrypts.
Once the encryption completed it drops a ransom note “READ_ME_NOW.htm” in the directory of the encrypted files.
The ransom note directs a Tor website for victims to make the payment, the Tor site contains a Bitcoin address and asks victim’s to pay $500 to recover files.
Some users reported that “someone paid the ransom and did not get the decryptor.”
The new version of the ransomware includes password-stealing capability, which is not present with the older versions.
It steals the login credentials from browsers and email clients:
FTCODE Ransomware is evolving, in a short period, multiple versions were spotted. At the moment there is no decryptor available for the ransomware strain.
Also Read: Ransomware Attack Response and Mitigation Checklist
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…
Adobe has issued a critical security update for ColdFusion versions 2023 and 2021 to address…
Two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, were recently detected by Fortinet's AI-driven OSS malware…
A Brazilian man, Junior Barros De Oliveira, has been charged with multiple counts of cybercrime…
McDonald's India (West & South) / Hardcastle Restaurants Pvt. Ltd. operates a custom McDelivery web…
Cryptocurrency hacking incidents in 2024 surged 21.07% YoY to $2.2 billion, with 303 breaches reported,…