Company fired 300 employees for Christmas due to ransomware attack

Telemarketing company from Arkansas tells the staff to look for a new job after suspending all activities just before the vacation.

FTCODE ransomware is back with a new set of information-stealing capabilities aimed at browsers and e-mail services.

First discovered in 2013 by Sophos, the malware – presumably the handicraft of Russian threat groups – aroused the interest of researchers because of its dependence on PowerShell, a Microsoft scripting language designed for task automation and network management.

The ransomware was previously aimed at Russian speaking users, but since its creation, malware operators have expanded their horizons to include victims of other languages.

Also see: New ransomware attacks are targeted at your NAS devices, backup storage

In October 2019, ransomware was linked to phishing and e-mail campaigns targeted at Italian users through documents containing malicious macros, a common way for cyber attacks to deploy exploit kits.

According to Zscaler ThreatLabZ researchers Rajdeepsinh Dodia, Amandeep Kumar and Atinderpal Singh, the malware is now downloaded via VBScript, but is still based on PowerShell.

“The FTCODE ransomware campaign is changing rapidly,” the team says. “Because of the scripting language in which it is written, it offers multiple benefits to threat actors, making it easy for them to add or remove features or make tweaks much easier than is possible with traditionally compiled malware.”

What looks like the latest version of the malware, 1117.1, ends up on infected machines through the same attack vector – documents that contain macros. However, these macros contain links to VBScripts that use the PowerShell-based FTCODE, disguised as a lure .JPEG image file that is located in the Windows% temp% folder.

CNET: SIM swap fraud: what it is, why you have to take care of it and how you can protect yourself

In many ways, FTCODE acts as typical ransomware. Basic system information is collected and sent to a waiting command and control (C2) server, and persistence is protected through a shortcut file in the boot folder that is run upon restart.

FTCODE then scans the infected system for disks with at least 50 kb of free space and starts encoding files with extensions such as .das, .rar, .avi, .epk and .docx. A ransom letter is then posted. Positive Technologies says the first request is $ 500, but it increases over time.

Zscaler

The latest version of the malware can also steal browser and email references, an important update from earlier iterations.

Internet Explorer, Mozilla Firefox and Google Chrome browser information can, in addition to Microsoft Outlook and Mozilla Thunderbird e-mail references, be stolen and sent via the C2 to the malware operators.

Stolen data is encrypted with base64 and sent via an HTTP POST request, as noted by Positive Technologies.

The researchers add in their report that the ransomware can also install the JasperLoader downloader, which can be used to implement additional malicious payloads.

TechRepublic: This new startup aims to make developers crazy about security

In related news, Safebreach Labs reported Tuesday the conclusion of an investigation into how ransomware could use the Microsoft Windows Encrypting File System (EFS) to encrypt and lock PCs.

After developing a concept malware variant and making workable attacks successful, the researchers tested their ransomware against three popular forms of antivirus software that could not stop the threat. A total of 17 cyber security vendors have received Proof-of-Concept (PoC) reports, the majority of which have now pushed proactive software updates before using such an attack in the wild.

Previous and related coverage

Do you have a tip? Contact us securely via WhatsApp | Signal on +447713 025 499 or higher on Keybase: charlie0