FTCode Ransomware Returns with Credential-Stealing Capabilities

  • It can skim user credentials from Internet Explorer, Firefox, and Chrome as well as email clients Thunderbird and Outlook.
  • The malware acquires persistence through a shortcut file in the startup folder that executes on reboot.

A group of researchers reported that FTCode ransomware is now armed with browser, email password-stealing features.

About the new version

The nightmare continues for victims of FTCode ransomware.

  • Coming from a ransomware family, while it does encrypt data, the PowerShell malware has added features for stealing user credentials from common web browsers and email clients.
  • FTCode version 1117.1 ransomware steals credentials from five popular browsers and email clients. It can skim user credentials from Internet Explorer, Firefox, and Chrome as well as email clients Thunderbird and Outlook.
  • The new version uses a variety of methods to steal credentials in each of the targeted applications. It is because of the way the malware has been scripted.

How it works?

Infection starts with spam emails containing malicious macro documents and, more recently, containing links to VBScripts.

  • As soon as a user executes the VBScript, the malware deploys the PowerShell-based FTCODE disguised as a decoy .JPEG image in the Windows %temp% folder.
  • Basic system information is then harvested and sent to a waiting command-and-control (C2) server.
  • The malware acquires persistence through a shortcut file in the startup folder that executes on reboot.
  • Stolen data is encrypted with base64 and sent via an HTTP POST request.
  • All the locked files get a .FTCODE extension and every folder gets READ_ME_NOW.htm ransom notes.

Decryption isn’t guaranteed

Hackers usually demand a $500 ransom amount to deliver the decryptor. However, there have been reports of victims paying the ransom and not receiving the decryptor, as noted by an individual on Twitter.