• About us
  • Disclaimer
  • Privacy Policy
Thursday, August 11, 2022
  • Login
  • Register
W-SE (Web - SEcurity)
  • Tech today
  • Security
    • Malware
    • Top list
  • Vulnerabilities
  • How To?
    • All
    • gaming
    • Smart phone
    • smart tv
    • software
    Tips for Buying the Perfect Travel Sim Card

    Tips for Buying the Perfect Travel Sim Card

    How to Write Farewell and Appreciate Messages

    How to Write Farewell and Appreciate Messages?

    Software help business

    Reasons to Buy the Right Business Hardware

    How to Invest in NFT Art?

    Ideal Internet Speed for Online Gaming

    Ideal Internet Speed for Online Gaming

    AceThinker Online Video Editor and Pro

    AceThinker Online Video Editor and Pro

    Trending Tags

    • Web Security
    • Data Security
    • Network Security
    • Cybersecurity
  • About us
  • Disclaimer
  • Privacy Policy
  • Contact
No Result
View All Result
  • Tech today
  • Security
    • Malware
    • Top list
  • Vulnerabilities
  • How To?
    • All
    • gaming
    • Smart phone
    • smart tv
    • software
    Tips for Buying the Perfect Travel Sim Card

    Tips for Buying the Perfect Travel Sim Card

    How to Write Farewell and Appreciate Messages

    How to Write Farewell and Appreciate Messages?

    Software help business

    Reasons to Buy the Right Business Hardware

    How to Invest in NFT Art?

    Ideal Internet Speed for Online Gaming

    Ideal Internet Speed for Online Gaming

    AceThinker Online Video Editor and Pro

    AceThinker Online Video Editor and Pro

    Trending Tags

    • Web Security
    • Data Security
    • Network Security
    • Cybersecurity
  • About us
  • Disclaimer
  • Privacy Policy
  • Contact
No Result
View All Result
W-SE (Web - SEcurity)
No Result
View All Result
Home Malware

Spam Campaign FTCode PowerShell Ransomware Resurfaces

Melina Richardson by Melina Richardson
in Malware, Vulnerabilities
A A

An ancient PowerShell ransomware resurfaced to Italian recipients with a vengeance in a spam allocation. This ransomware is called the FTCode and is fully PowerShell-based so that the computer can be encrypted without any other parts downloaded.

Since 26 September, fresh ransomware named FTCode, which was distributed via spam, has been reported [ 1, 2,3, 4].

Safety company Certego, who conducted an FTCode ransomware assessment, says that this is effectively the same version as Sophos found in 2013.

“Even if the name could seem new, the first appearance of this threat was in 2013, as stated by Sophos. Then, almost nothing was seen for about 6 years. Strange, but we have to remember that technology changes. Windows XP was widespread at that time and, by default, Powershell is installed only from Windows 7 on. That can be a problem because actors need to install powershell itself before running ransomware. Also, cyber security was not mature as it is nowadays so, for instance, classic Zeus-like bankers were more effective.”

Certego speculates that this ransomware might not have been successful in 2013 because PowerShell is not so common as it is now and other kinds of malware are more lucrative to use.

Distributed via spam

This ransomware is spread via spam with malicious Word documents aimed at Italian consumers.

Security scientist JamesWT informed that he saw spam variations pretending to be invoices, document scans, and work resumes.

The following is, for example, a spam email pretending to be a Fattura or an invoice to be paid by the victim.

Spam-emailExample fattura spam email

If the attachment is opened, a Word paper is displayed saying that the content has to be enabled to proceed.

Malicious-documentMalicious Word document

Once content is activated, malicious macros will run to download and install the JasperLoader malware downloader and then encrypt the laptop with a PowerShell command.

Powershell-commandExecuting the PowerShell Command

Script drops backdoor and then computer encrypts

According to Certego, JasperLoader is the first malware element installed. JasperLoader will be used on the computer of the victim to download and install other malware.

JasperloaderPortion of script that installs JasperLoader

After the VBS script has been downloaded, a planned task, called the Windows ApplicationService, and a shortcut in the Startup folder are configured.

vbs-scheduled-taskJasperLoader Scheduled Task

The PowerShell script will then move to the ransomware area, checking whether the file C:\Users\Public\OracleKit\w00log03.tmp exists. Michael Gillespie said this file is a killswitch . If it is available, the script does not encrypt the computer.

If the file doesn’t exist, a encryption key will be generated and sent to the server command and control of the attacker. This implies you can recover the encryption key if your traffic is monitored during encryption.

The script will now run several commands that will remove Shadow Volume Copies, Windows backups, and deactivate Windows restoration.

bcdedit /set absjbjsct bootstatuspolicy ignoreallfailures
bcdedit /set absjbjsct recoveryenabled no
wbadmin delete catalog -quiet
wbadmin delete systemstatebackup
wbadmin delete backup
vssadmin delete shadows /all /quiet

The script begins to encrypt documents on the computer now that the computer is ready.

Ransomware-script-portionRansomware portion of the PowerShell script

The. FTCODE extortion is appended to encrypted documents when it is encrypted, as seen below.

Encrypted-filesEncrypted FTCODE files

The ransomware also creates ransom notes in each folder named READ ME NOW.htm. When this ransomware was tested , ransom notes were not created correctly and 0 byte files were left.

The ransom note below from a Certego assessment shows a connection to a Tor payment site that provides directions on how to buy a decryptor at the present cost of $500 USD.

Ransom_note_image[1]FTCode Ransom Note

When victims visit the Tor payment location, they will receive a bitcoin address and a ransom amount to be sent to buy the decrypter.

Tor-payment-siteFTCode Tor Payment Site

Gillespie unfortunately analyzed the encryption algorithm and saw no weaknesses to enable victims to free recovery of their files.

IOCs:

Maldoc hash:

b09bc9a25090cada55938367c7f12e692632afa2ed46d5e90eba29da84befafd

Ransom note text:

All your files was encrypted!
Your personal ID: [id]
Your personal KEY:
[key]
1. Download Tor browser - https://www.torproject.org/download/
2. Install Tor browser
3. Open Tor Browser
4. Open link in TOR browser:
http://qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd.onion/?guid=[id]
5. Follow the instructions on this page
***** Warning*****
Do not rename files
Do not try to back your data using third-party software, it may cause permanent data loss(If you do not believe
us, and still try to - make copies of all files so that we can help you if third-party software harms them)
As evidence, we can for free back one file
Decoders of other users is not suitable to back your files - encryption key is created on your computer when the
program is launched - it is unique.

 

 

Tags: ransomware
ShareTweetShare
Previous Post

Over 170,000 Users Data up for Grabs After Comodo Forums Breached

Next Post

Magecart Affects Hundreds of Thousands of Websites that Continue to Grow

Melina Richardson

Melina Richardson

Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards & w-se. Previously, he worked as a security news reporter.

Next Post
Javascript

Magecart Affects Hundreds of Thousands of Websites that Continue to Grow

Please login to join discussion

Free Online Tools

Article Rewriter Pro
Grammar Checker Pro
Plagiarism Checker
Online Ping Website Tool
Website Screenshot Generator
Website Source Code Finder

Free A To Z IT Tools Online

Free IT Tools Online
  • Trending
  • Comments
  • Latest
inurl technology

Latest Carding Dorks List for Sql Injection 2022

March 16, 2022
connect monitor to laptop two screens

How To Connect A Monitor To A Laptop And Use Both Screens?

February 10, 2021
how to connect two monitors to my laptop

How Do I Connect 2 Monitors To My Lenovo Laptop?

January 22, 2021
Gb Whatsapp An Unexpected Error

Gb Whatsapp An Unexpected Error

November 7, 2021
Windows Flaw

If Older Battleye software is used, Windows 10 1903 Blocked

0
Mac Os

New unpatched macOS bypass gatekeeper published online

0
Siemens Medical Products

Wormable Windows Flaw Affected Siemens Medical Products

0
Cloud Computing

5 Tips of the Personal Data Protection in the Cloud

0
Tips for Buying the Perfect Travel Sim Card

Tips for Buying the Perfect Travel Sim Card

August 5, 2022
How to Write Farewell and Appreciate Messages

How to Write Farewell and Appreciate Messages?

August 5, 2022
Cyber Security Degree In Pennsylvania

Ways Block Chain Affect Web Security in 2022

August 5, 2022

10 Tips on How to Improve your Software Development Skills

July 19, 2022

Quick Links

Learnopedia
Tech Write For US
Technology Write For US
Casino Write For Us
Mr.Perfect Reviews
Cyber Security Career

Recent News

Tips for Buying the Perfect Travel Sim Card

Tips for Buying the Perfect Travel Sim Card

August 5, 2022
How to Write Farewell and Appreciate Messages

How to Write Farewell and Appreciate Messages?

August 5, 2022
Cyber Security Degree In Pennsylvania

Ways Block Chain Affect Web Security in 2022

August 5, 2022

10 Tips on How to Improve your Software Development Skills

July 19, 2022
W-SE (Web – SEcurity)

W-SE regularly updates cyber attacks, hacking and events that provide IT security professionals with information throughout the world. Also offering news in W-SE. We spent two years living and sharing guidance and insights with IT experts, detailed analyzes and news.

We also train people with product reviews in different form of content.

Browse by Category

  • computer
  • Fraud & Identity
  • gaming
  • How To?
  • laptop
  • Malware
  • Microsoft
  • Mobile
  • photography
  • Privacy
  • Reviews
  • Security
  • Security Degree
  • Smart phone
  • smart tv
  • Social
  • software
  • Tech
  • Tech today
  • Top list
  • Uncategorized
  • Virus & Threats
  • Vulnerabilities
  • Website
  • What is?

Recent News

Tips for Buying the Perfect Travel Sim Card

Tips for Buying the Perfect Travel Sim Card

August 5, 2022
How to Write Farewell and Appreciate Messages

How to Write Farewell and Appreciate Messages?

August 5, 2022
  • About us
  • Contact
  • Disclaimer
  • Home
  • Privacy Policy
  • Resources
  • Support Forum
  • Tech Blog
  • Technology Write For Us
  • W-SE (Web Security)

© 2020 w-se.com - Powered by Fix Hacked Website, Cyber Special , SSL Authority Reviews Powered by Mr.Perfect Reviews.

No Result
View All Result
  • Tech today
  • Security
    • Malware
    • Top list
  • Vulnerabilities
  • How To?
  • About us
  • Disclaimer
  • Privacy Policy
  • Contact

© 2020 w-se.com - Powered by Fix Hacked Website, Cyber Special , SSL Authority Reviews Powered by Mr.Perfect Reviews.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In