FTCODE ransomware is now armed with browser, email password stealing features

Encrypting your PC isn’t enough -- hackers want your email passwords, too.
Written by Charlie Osborne, Contributing Writer

FTCODE ransomware is back with a fresh set of information-stealing capabilities targeting browsers and email services. 

First spotted back in 2013 by Sophos, the malware -- believed to be the handiwork of Russian threat groups -- piqued researcher interest due to its reliance on PowerShell, a Microsoft scripting language designed for task automaton and network management.

The ransomware has previously targeted Russian-speaking users, but since its inception, operators of the malware have expanded their horizons to include victims of other languages. 

See also: New ransomware attacks target your NAS devices, backup storage

In October 2019, the ransomware was linked to phishing and email campaigns targeting Italian users through documents containing malicious macros, a common way for cyberattackers to deploy exploit kits.

According to Zscaler ThreatLabZ researchers Rajdeepsinh Dodia,  Amandeep Kumar, and Atinderpal Singh, the malware is now being downloaded via VBScript, but is still based on PowerShell. 

"The FTCODE ransomware campaign is rapidly changing," the team says. "Due to the scripting language it was written in, it offers multiple advantages to threat actors, enabling them to easily add or remove features or make tweaks much more easily than is possible with traditionally compiled malware."

What appears to be the latest version of the malware, 1117.1, lands on infected machines through the same attack vector -- documents containing macros. However, these macros contain links to VBScripts that deploy the PowerShell-based FTCODE, disguised as a decoy .JPEG image file that lands in the Windows %temp% folder. 

CNET: SIM swap fraud: What it is, why you should care and how to protect yourself

In many respects, FTCODE acts as typical ransomware. Basic system information is harvested and sent to a waiting command-and-control (C2) server, and persistence is secured through a shortcut file in the startup folder that executes on reboot. 

FTCODE will then scan the infected system for drives with at least 50kb of free space and begin encrypting files with extensions including .das, .rar, .avi, .epk, and .docx. A ransom note is then posted. Positive Technologies says the initial request is $500 but increases over time.


The latest version of the malware is also able to steal browser and email credentials, a significant update on past iterations. 

Internet Explorer, Mozilla Firefox, and Google Chrome browser information, alongside Microsoft Outlook and Mozilla Thunderbird email credentials, can be stolen and sent to the malware's operators via the C2. 

Stolen data is encrypted with base64 and sent via an HTTP POST request, as noted by Positive Technologies. 

The researchers add in their report that the ransomware may also install the JasperLoader downloader, which can be used to deploy additional malicious payloads. 

TechRepublic: This new startup aims to make developers love security

In related news, on Tuesday, Safebreach Labs reported the conclusion of an investigation into how ransomware could exploit the Microsoft Windows Encrypting File System (EFS) to encrypt and lock-up PCs. 

After developing a concept malware variant and successfully creating workable attacks, the researchers tested their ransomware against three popular forms of antivirus software, all of which failed to stop the threat. In total, 17 cybersecurity vendors received Proof-of-Concept (PoC) reports, the majority of which have now pushed out proactive software updates before such an attack is used in the wild. 

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards