FTCODE Ransomware
The FTCODE Ransomware is a file-locking Trojan that can encrypt your digital media securely so that it will not open. It also includes a Web page file that links to a TOR-based payment site for the decryptor. Victims should avoid paying the ransom, have their anti-malware solution remove the FTCODE Ransomware, and recover from any available backup.
A Trojan Going Ninety-Nine Percent Invisible
Most file-locking Trojans use well-known techniques and have thoroughly-analyzed characteristics, making them simple to ID as threats. Despite that long-proven history, a newcomer to the field against massive Ransomware-as-a-Service families is doing things a little differently. The FTCODE Ransomware is using unknown techniques for hiding itself against all AV vendors of note virtually, with only a handful detecting any of the Trojan's samples.
Malware experts have access to two variants of the FTCODE Ransomware, including one in a Visual Basic format, and one enclosed in a corrupted Word document. The latter is, as usual, abusing macros for the infection delivery method. Remarkably, no major cyber-security organizations are flagging the VBS version of the FTCODE Ransomware as being threatening.
In either case, the FTCODE Ransomware uses a fairly-typical encryption protocol of AES-256, which it secures with RSA-1024. This function lets it block files of potential value to the user, which it labels with the 'FTCODE' extensions in their names. Then, it drops a local, HTM Web page in the directory of the blocked media. The template of the ransom note is one that's typical for Trojans of the kind and provides a link to the TOR browser, a second one to the threat actor's ransom-processing site, and an ID for the victim.
The Dangers of Taking Ransoms as You See Them
The FTCODE Ransomware offers some quirks that make it a little different from Hidden Tear spinoffs or Ransomware-as-a-Service Trojans like the Scarab Ransomware. It aborts if a specific OracleKit temporary file is present – possibly to keep the author from infecting himself. It also downloads other threats, of which, malware experts are estimating a likely payload of Gootkit (a combination general-purpose spyware and banking Trojan).
The payment history for the FTCODE Ransomware's unlocker has some elements of interest, as well. The site includes a working, one-time-use 'trial' decryptor for files of under a megabyte. However, victims are reporting that no decryption help is available after paying the fee – which starts at 500 USD and goes up to twenty-five thousand. Like many Trojans, the FTCODE Ransomware also uses a deadline for inserting urgency into the extortion proceedings.
Users can avoid enabling macros in risky documents for blocking the drive-by-downloads of some versions of the FTCODE Ransomware preemptively. Keeping anti-malware solutions updated also provides significant help with identifying threats and removing the FTCODE Ransomware as soon as possible.
There's little chance that the FTCODE Ransomware's encryption ever will stop being impenetrable, which means that any victims are at the mercy of an untrustworthy criminal. Unless, of course, they have a backup that Trojans can't attack, as malware experts always recommend keeping.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.