FTCode is a type of ransomware that spreads itself via spam emails and is able to execute its PowerShell-based malicious payload in memory only, without downloading any files to disk. It was first seen in the wild in 2013 but is now a much more serious network threat because most current Windows workstations have PowerShell installed and enabled by default.
In this article you will learn:
- What is FTCode
- FTCode distribution
- How the FTCode malware works
- Protection against FTCode
Infected by FTCode ransomware?
InFORM XDR is a trusted partner that provides effective Managed Detection and Response (MDR) security services on your IT infrastructure and can help defend, mitigate and eradicate against a wide range of known and zero-day threats, including ransomware like FTCode, and advanced persistent threats. We also provides InSERT service, an outsourced incident response team on call 24/7/365 to respond to critical incidents quickly and effectively.
What is FTCode?
FTCode is a strain of ransomware, designed to encrypt data and force victims to pay a ransom to release it. It is fully written in PowerShell, meaning that it can encrypt files on a Windows device without downloading any other components. FTCode loads its executable code only into memory, without saving it to disk, to prevent detection by antivirus.
The first appearance of FTCode was probably in 2013, and it was originally identified by Sophos. However, at the time it did not pose a serious risk because PowerShell is only installed by default from Windows 7 onwards. Today almost all Windows machines have at least Windows 7, and so PowerShell-based malware like FTCode poses a much bigger risk.
FTCode Distribution Method
The FTCode ransomware is primarily distributed via spam emails containing an infected Word template in Italian. The user needs to open the attachment and disable Protected View mode, and then a malicious macro executes which runs FTCode PowerShell code.
How Does the FTCode Malware Work?
Once a user is tricked into opening the infected Word template, and the malicious macro executes, the following steps occur.
This discussion is based on research from Certego and represents the behaviour of version 930.5 of the malware, future versions may exhibit different behaviour.
- The macro triggers the DownloadString function, which loads the PowerShell code into memory, without saving it to disk. It uses the PowerShell iex (invoke expression) command to execute the malicious code.
- FTCode is now running, it performs a GET request to download JasperLoader, a backdoor that will download additional payloads. JasperLoader is a Visual Basic script that is saved to C:\Users\Public\Libraries\WindowsIndexingService.vbs.
- It creates a shortcut file called WindowsIndexingService.lnk in the user’s startup folder, and creates a scheduled task called WindowsApplicationService, in order to run the shortcut after every reboot.
- When the shortcut runs, it first checks for the presence of files with extension .FTCode, and if they are present, it assumes the computer has already been attacked, and exits.
This creates a way to prevent FTCode from executing—creating a few files with .FTCode extension somewhere on the machine, with any content.
- It generates a globally unique identifier and a password with 50 characters including at least four non-alphanumeric characters. A hardcoded RSA public key is used to encrypt the password, and it can be deciphered only with the attacker’s private key. However, when communicating with the command and control server, FTCode sends an unencrypted version of the password in base64 encoding.
This means that in current variants of FTCode, monitoring communication with the attacker’s server can yield the password that can decode the user’s encrypted files.
- FTCode performs a POST request to its server and transmits the version number, PowerShell version, the victim’s unique ID and the password encoded in base64.
- It runs the following PowerShell commands that prevent the user from restoring their encrypted files:
bcdedit /set exgdccaxjz bootstatuspolicy ignoreallfailures bcdedit /set exgdccaxjz recoveryenabled no wbadmin delete catalog -quiet wbadmin delete systemstatebackup wbadmin delete backup vssadmin delete shadows /all /quiet
- It checks for active disk drives and looks for files with common extensions like .mp4, .wav, .csv, .xls, etc. FTCode starts by encrypting the first bytes of each file using Rijndael symmetric key encryption, and appends the extension .FTCode.
- FTCode now creates the ransom note as a file named READ_ME_NOW.htm in all folders that contain encrypted files.
Protection against FTCode
InFORM XDR is an Advanced Threat Detection and Response platform that provides protection against ransomware like FTCode and other threats, including zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.
We provide a multi-layered approach to stop ransomware from executing and encrypting your data:
- Pre-download —applies multiple mechanisms against exploits and fileless malware, which typically serves as a delivery method for the ransomware payload, preventing it from getting to the endpoint in the first place.
- Pre-execution prevention —applies machine-learning-based static analysis to identify ransomware patterns in binary files before they are executed.
- In runtime —employs behavioural analysis to identify ransomware-like behaviour, and kill a process if it exhibits such behaviour.
- Threat intelligence —uses a live feed comprising over 30 threat intelligence feeds to identify known ransomware.
- Fuzzy Hash detection— employs a fuzzy hashing detection mechanism to detect automated variants of known ransomware.
- Sandbox —runs any loaded file in a sandbox and blocks execution upon identification of ransomware-like behaviour.
- Decoy files —plants decoy data files on the hosts and applies a mechanism to ensure these are the first to be encrypted in a case of ransomware. Once we detects that these files are going through encryption it kills the ransomware process.
- Propagation blocking —identifies the networking activity signature generated by hosts when ransomware is auto-propagating and isolates the hosts from the network.