FTCODE ransomware re-upgrade now encrypts system files and steals browser passwords

The researchers have discovered an updated version of FTCODE ransomware, and this time it appears that the author is focusing more on password-stealing. Analysis by the ThreatLabZ team showed that the malware was specifically targeted at Italian-speaking Windows users and that the latest version (detected as 1117.1) used VBScript download methods for more sophisticated attacks.

FTCODE ransomware re-upgrade now encrypts system files and steals browser passwords

Attackers use e-mail to spread ransomware to potential targets, including infected documents and VBScript, which run PowerShell scripts that trigger ransomware infection sons while executing. The script first downloads the bait image to the %temp% folder and tries to convince users that they just received the image and then download and run the ransomware in the background.

The malware tries to gain durability by creating a shortcut called Windows Indexing Service.lnk in the Windows Startup folder. In addition, it creates a scheduled task called Windows Application Service, which together points to malicious Windows Indexing Service.vbs scripts.

Once the device is infected, the ransomware encrypts multiple file formats, and FTCODE uses GUID to generate passwords and generate older sets of random characters. It uses Rijndael symmetry key encryption to encrypt the 40960 bytes of each of the above-mentioned extension files. The initialization vector is based on 11 randomly generated characters and is placed in the root folder with a ransomware comment called “READ_ME_NOW.htm”.

When ready, the ransomware instructs users to download the Tor browser and access the link, where they will have to pay to unlock the file using the decryption key.

In addition to encrypting files, ransomware also includes Internet Explorer, Mozilla Firefox, Mozilla Thunderbird, Google Chrome and Microsoft Stealing credentials in popular browsers and email clients, including Outlook. Ransomware can scan the default location where these applications store credentials, extract the data, and upload it to the server that the malware author controls.