#cybersecurity | hacker #cybersecurity | #hackerspace | FTCode: PowerShell’s Own Ransomware – Security Boulevard

If it is not yet apparent how pervasive and problematic ransomware is, just look at the news. Weekly, and sometimes near-daily, a new variant is discovered or another massive corporation has fallen victim to an attack. Whether a Fortune 500 company or government department, all are seen as a valid target for those operating ransomware strains or those providing the malware as a service. Some ransomware variants often steal the limelight—currently, Ryuk and Sodinokibi are the A-List celebrities. Those two alone have helped drive the costs associated with ransomware to double, with cost estimations including downtime suffered and recovery time, which can take weeks.

While some ransomware strains dominate the discussion about the problem, others seem to be non-starters—developed, deployed, but unsuccessful and forgotten about. Unlike animal extinction, though, malware has a habit of making a return. FTCode is one of those pieces of malware that keeps rising from the dead, which would make a horror villain blush. Discovered in 2013, it was seen distributed via spam email campaigns, which is unremarkable but the malware had some incredibly unique features even to this day.

Initial Discovery

As mentioned above, FTCode was discovered in 2013, being distributed mainly via spam emails. What made the ransomware unique was that it used Windows PowerShell to perform the file encryption. Windows developed PowerShell to enable administrators to automate specific tasks on a Windows network. Introduced in the no-longer-supported Windows 7, it was even made available to earlier versions of Windows relatively soon after its release. Now PowerShell is often abused by cybercriminals to gain increased privileges or to download and install various other types of malware.

Files encrypted by FTCode ransomware:

This abuse of PowerShell was most certainly unique and was something that would pique the interest of even the most jaded security researcher at the time. How the ransomware infected the machine and encrypted files was a keen point of interest. The spam email contained an HTA file, which is an HTML executable namely used with Internet Explorer 5 and up. The file itself contained two Base64 encoded strings. The first of these strings would check to see if a version of PowerShell was already installed on the victim’s machine. If this returned false, the malware would then proceed to download PowerShell from a Dropbox account controlled by the attacker and install it. Once this was done, the second string would come into play—this part of the code would execute the CreateEncryptor() function.

Even the type of encryption used was noteworthy. Once the function was called, files would be encrypted with the Rijndael Encryption Algorithm, which supported encryption in key sizes of 128, 192 and 256 bits, with data handling taking place in 128-bit blocks. The algorithm was developed by Vincent Rijmen and Joan Daemen as a result of encryption standards at the time showing a number of vulnerabilities to attack. With that in mind, the priority of the algorithm was to be able to resist all known methods of attack at the time of development as well as exhibiting simplicity in its design and source code. Another interesting footnote regarding FTCode was that rather than choosing specific files deemed important to the victim, the malware would encrypt all files that had any one of the 163 file extensions targeted by the ransomware. This meant that the ransomware would encrypt anything from documents and spreadsheets to images and videos.

Once encryption was complete, the ransom note would be dropped. The initial campaigns spreading FTCode only targeted those residing in Russian-speaking nations. This was evident in the note dropped, which was written in Russian and translates as follows:

“Your files are encrypted?
Do you want to unlock your files and do not know how?
You can get the decryption program in fully automatic mode in a few minutes!
To decrypt your files must have a unique code, which is contained in the file READ_ME_NOW.txt, so we can learn the code please upload the file READ_ME_NOW.txt the form below. This file is in any directory that has encrypted files.”

Once victims uploaded the form as instructed, they would be greeted by a second message which stated,

“You are logged in!
We successfully read your unique lock code. For you, there is good news and bad news:
The good news is that you can get the program and fully unlock and clean your PC in just a few minutes.
The bad news – a program to unlock costs 10 TR for one PC
To prove to you that we can provide the unique program for your PC that will unlock all of your files – you can upload any one of the encrypted files no larger than 1 megabyte, and we will automatically decode it.”

While the attackers demanded 10,000 rubles—approximately $326 US at the time—researchers discovered that victims could decrypt their files relatively easily without having to pay. The ransomware utilized two methods of creating the decryption key. The first utilized a Universally Unique Identifier (UUID) and renamed it using the .FTCODE extension used in the encryption process. The second method involved generating a random string of 50 characters long with four non-alphanumeric characters. The string is then turned into a password via a function code. All the victims had to do was enter into two commands to get each key, provided for by researchers, and they could then decrypt the files without having to pay.

FTCode Returns

It became clear that those behind the first FTCode campaigns were unsuccessful as the ransomware variant seemed to disappear. This may be in part to victims being able to decrypt their own files, but as researchers pointed out at the time Windows XP was the majority shareholder in the OS game. This meant that at the time only Windows 7 machines had PowerShell installed and it was yet to be completely made available to earlier versions of Windows, including XP. This drastically reduced the number of available targets, resulting in less-than-adequate payouts. FTCode seemed destined to join the scrap pile.

Ransom demanding message of FTCode ransomware:

But, like any good villain, FTCode would not just lie down and die. It took six years and the advent of PowerShell to be installed on a much greater percentage of machines, but FTCode returned. Toward the end of September FTCode was seen being dropped with other malware types, often as the final payload, targeting Italian speakers. The campaign distributed spam mail via an Italian email service commonly used to deliver invoices, which made it difficult for recipients to detect if it was spam or not. The email itself presented as an invoice and contained a malicious Office document. When the victim opened the attachment they were presented with a notification saying the document required the disabling of “Protected View.” This is a commonly used trick to enable macros. Once this is done, the malicious macro runs a PowerShell process and the infection of the machine has begun.

The malware downloads a Visual Basic script via a GET request, which downloads JasperLoader, a trojan that creates a backdoor so that other malware strains can be dropped onto the machine at a later date. Once this is done, the ransomware gets to work by scanning for hard drives with more than 50KB of space available and uses the same vast list of file types as before to target files for encryption. Again, the Rijdael algorithm is used for encryption. Once encryption is complete, a ransom note is dropped. This time the ransom demanded is $500 US and includes instructions on how to download a Tor browser. A link is attached that redirects the victim to further payment instructions once the browser is downloaded. From the analysis done at the time, it appeared that this latest attack may have been a test run, as the malware still appeared under development. One day after the initial detection another version popped up that included a method to send information to the attacker’s command and control server to inform them whether the infection was successful. Researchers also noted that it was possible to get the encryption keys by simply monitoring traffic to the attackers’ server. This would imply that the key could be intercepted and decryption completed without paying the ransom—another indication that more was to come from FTCode.

The New and Improved FTCode

Researchers did not have to wait six years to see FTCode once more. This time it was only a few months wait, as recently reports have surfaced that FTCode was back with even more features. The latest campaign still relies on spam emails for distribution and again JasperLoader is dropped along with FTCode; however, this time another surprise is in store for the victim: FTCode now includes an info stealer that allows the malware to first search and harvest for stored credentials before the encryption process begins. The credentials can be harvested from both web browsers as well as email clients. For victims running Internet Explorer and Outlook Express, the info stealer harvests credentials from the registry. If the victim is running Chrome, Firefox or Thunderbird, it targets the folders used by the applications to store credentials.

Once the information is harvested, it is sent to the attackers’ command and control server, which is sent along with an encoded password again using Base64 encoding. Researchers confirmed that the info-stealing capability can only be found on the latest version of FTCode, version 1117.1. Like with the earlier 2019 campaign, the ransom demanded is $500 US. It is important to note that victims should not pay the ransom as there have been reports that even when the ransom has been paid files have not being decrypted. Often it is advised not to pay for this exact reason, and considering there are ways to decrypt files without paying the ransom, victims should explore that option thoroughly before the thought of paying even comes to mind.

In many ways, FTCode was ahead of its time in using PowerShell exclusively to encrypt targeted files. How the ransomware was spread has been a tried and true method of infecting computers, so there is little to admire there. If it wasn’t for the adoption of PowerShell on later Windows versions, FTCode may have never resurfaced. Researchers are left wondering what is next in store for the ransomware. Will it include more features and drop other malware types? Or will it look to change tactics? Will it adopt the big game hunting tactics of Ryuk and Sodinokibi and go after large corporations for bigger paydays? We have to wait and see.