FTCode Ransomware Returns with Credential-Stealing Capabilities

A group of researchers reported that FTCode ransomware is now armed with browser, email password-stealing features. It can skim user credentials from Internet Explorer, Firefox, and Chrome as well as email clients Thunderbird and Outlook.

The malware acquires persistence through a shortcut file in the startup folder that executes on reboot.


About the new version


  • Coming from a ransomware family, while it does encrypt data, the PowerShell malware has added features for stealing user credentials from common web browsers and email clients.
  • FTCode version 1117.1 ransomware steals credentials from five popular browsers and email clients. It can skim user credentials from Internet Explorer, Firefox, and Chrome as well as email clients Thunderbird and Outlook.
  • The new version uses a variety of methods to steal credentials in each of the targeted applications. It is because of the way the malware has been scripted.

How it works?


Infection starts with spam emails containing malicious macro documents and, more recently, containing links to VBScripts.

  • As soon as a user executes the VBScript, the malware deploys the PowerShell-based FTCODE disguised as a decoy .JPEG image in the Windows %temp% folder.
  • Basic system information is then harvested and sent to a waiting command-and-control (C2) server.
  • The malware acquires persistence through a shortcut file in the startup folder that executes on reboot.
  • Stolen data is encrypted with base64 and sent via an HTTP POST request.
  • All the locked files get a .FTCODE extension and every folder gets READ_ME_NOW.htm ransom notes.

Decryption isn’t guaranteed


Hackers usually demand a $500 ransom amount to deliver the decryptor. However, there have been reports of victims paying the ransom and not receiving the decryptor