Security Experts discovered an updated version of the FTCODE ransomware, and this time it seems that the authors are focusing more on email password stealing. The analysis revealed that the malware was specifically targeted towards Italian-speaking Windows users and that the latest version (detected as 1117.1) used the VBScript download method for more sophisticated attacks.
Attackers use email to spread ransomware to potential targets. Malicious emails include infected documents and VBScripts, which, when executed, run PowerShell scripts that trigger ransomware infection. The script first downloads the bait images into the% temp% folder and tries to trick users into believing that they just received the images, then downloads and runs the ransomware in the background.
The malware tries to gain persistent running capabilities by creating a shortcut called WindowsIndexingService.lnk in the Windows startup folder. In addition, it will create a scheduled task called WindowsApplicationService, and both shortcuts and scheduled tasks will point to the malicious WindowsIndexingService.vbs script.
Once the device is infected, ransomware encrypts multiple file-formats. FTCODE uses a GUID to generate a password and an earlier random character set. It uses Rijndael symmetric key encryption to encrypt 40960 bytes of each of the above extension files. The initialization vector is based on 11 randomly generated characters and puts a ransom note named “READ_ME_NOW.htm” in the root folder.
After the preparation is completed, the ransomware instructs the user to download the Tor browser and visit a link on which they need to pay to use the decryption key to unlock the file. In addition to encrypting files, ransomware steals credentials from popular browsers and email clients including Internet Explorer, Mozilla Firefox, Mozilla Thunderbird, Google Chrome, and Microsoft Outlook. Ransomware can scan the default locations where these applications store credentials, extract data, and then upload it to servers controlled by malware authors.