An upgraded version of FTCODE ransomware is now equipped with password-stealing capabilities targeting browsers and email services
Although FTCODE ransomware has been prevalent since 2013, it has resurfaced with password-stealing capabilities. This file-encrypting threat steals saved passwords and credentials from popular browsers and email clients. FTCODE ransomware can scan the default location where the credentials are stored, extract the data, and upload it to the server that the ransomware author controls.
Propagation and Encryption
Cybercriminals dealing with data-locking Trojans tend to use several classic propagation methods like: emails containing macro-laced attachments, fraudulent application updates, as well as fake pirated versions of popular software.
Often, ransomware threats tend to target a wide variety of files to guarantee that enough damage will be done and the user may consider paying up the ransom. Usually, files like images, documents, videos, audio files, etc. will be the primary targets of threats like the FTCODE Ransomware.
The FTCODE Ransomware will run a scan to locate these files and then trigger its encryption process. After encrypting a file, the FTCODE Ransomware applies a new extension at the end of its filename – ‘.FTCODE.’ For example, if you had a photo that was called ‘paper-pale.jpeg’ originally after the encryption process is completed, the file will be renamed to ‘paper-pale.jpeg.FTCODE.’
To ensure that the user is less likely to retrieve any of the corrupted files for free, the FTCODE Ransomware also will wipe out the Shadow Volume Copies from the compromised host. Furthermore, the FTCODE Ransomware also will tamper with the System Restore module and disable it so that getting any of the data back will be nearly impossible.
The Ransom Note
Then, the FTCODE Ransomware will drop a ransom note that goes by the name ‘READ_ME_NOW.htm.’ In the note, the attackers instruct the victim on how to download and install a TOR browser because their payment processing is carried out on a TOR-based payment portal.
The authors of the FTCODE Ransomware state that within the first three days of the attack, the ransom fee will be $500. However, if the victim fails to pay up within this deadline, the ransom fee will begin increasing periodically:
Between three and five days – the ransom is $2,500.
Between five and ten days – the ransom is $5,000.
Between ten and thirty days – the ransom is $25,000.
Finally, the attackers claim that in the case that the fee is not processed within thirty days of the attack occurring, the decryption key will be wiped out permanently, which means that there will be no way for the victim to retrieve any of their encrypted files. Do not trust cybercriminals. Their threats, as well as their promises, are often just smoke and mirrors.