Prefer a one-on-one demo? Click here
FTCode is a type of ransomware that spreads itself via spam emails, and is able to execute its PowerShell-based malicious payload in memory only, without downloading any files to disk. It was first seen in the wild in 2013, but is now a much more serious network threat because most current Windows workstations have PowerShell installed by default.
This is part of our series of articles about Ransomware protection.
In this article you will learn:
Infected by FTCode ransomware?
Cynet is a trusted partner that deploys powerful endpoint detection and response (EDR) security
software on your endpoints, and can help defend, mitigate and eradicate against a wide range of known and zero-day threats, including ransomware like FTCode, and advanced persistent threats. Cynet provides CyOps, an outsourced incident response team on call 24/7/365 to respond to critical incidents quickly and effectively.
FTCode is a strain of ransomware, designed to encrypt data and force victims to pay a ransom to release it. It is fully written in PowerShell, meaning that it can encrypt files on a Windows device without downloading any other components. FTCode loads its executable code only into memory, without saving it to disk, to prevent detection by antivirus.
The first appearance of FTCode was probably in 2013, and it was originally identified by Sophos. However, at the time it did not pose a serious risk because PowerShell is only installed by default from Windows 7 onwards. Today almost all Windows machines have at least Windows 7, and so PowerShell-based malware like FTCode poses a much bigger risk.
The FTCode ransomware is primarily distributed via spam emails containing an infected Word template in Italian. The user needs to open the attachment and disable Protected View mode, and then a malicious macro executes which runs FTCode PowerShell code.
Once a user is tricked into opening the infected Word template, and the malicious macro executes, the following steps occur.
This discussion is based on research from Certego and represents the behavior of version 930.5 of the malware, future versions may exhibit different behavior.
This creates a way to prevent FTCode from executing—creating a few files with .FTCode extension somewhere on the machine, with any content.
This means that in current variants of FTCode, monitoring communication with the attacker’s server can yield the password that can decode the user’s encrypted files.
bcdedit /set exgdccaxjz bootstatuspolicy ignoreallfailures bcdedit /set exgdccaxjz recoveryenabled no wbadmin delete catalog -quiet wbadmin delete systemstatebackup wbadmin delete backup vssadmin delete shadows /all /quiet
Cynet 360 is an Advanced Threat Detection and Response platform that provides protection against ransomware like FTCode and other threats, including zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.
Cynet provides a multi-layered approach to stop ransomware from executing and encrypting your data:
Learn more about Cynet’s Next-Generation Antivirus (NGAV) Solution