Researchers have discovered a new one spam campaign targeting Italians users and uses an old PowerShell ransomware. There has been talk of a new ransomware named for a few days now FTCode, distributed through spam emails.
However, according to Certego, FTCode is the same as software that Sophos had discovered on 2013.
“The name may look new, but the first appearance of this threat was 2013 and was discovered by Sophos. Then, for about 6 years, nothing was observed. "
Certego researchers believe that ransomware may not have been as successful as 2013 because PowerShell programs were not as popular as they are today. So are you hackers they had to use other types malicious software.
Distributing FTCode via campaign spam
Researchers found that ransomware was spreading through spam emails, containing malware archives Word. The target was Italian users.
According to the researcher JamesWT, malicious files were of varying content. When they appeared as invoices, sometimes as other documents and sometimes as a job application.
An example of such an email is:
If users open the attachment, they will see a Word document requesting content activation to continue the process.
If enabled, the process continues as follows: start malicious macros that execute a PowerShell command. It downloads and installs it JasperLoader malware downloader and then encrypts the computer.
Then the malicious script will execute various commands to delete Shadow Volume Copies and their backups Windows.
Once these processes are done, the script begins to encrypt the victim's files.
After encryption, victims will see the extension .FTCODE encrypted files.
The ransomware administrators then add one to each folder note (READ_ME_NOW.htm) through which they request ransom.
The following note contains a link that leads to one website payment Tor. It contains instructions on how to purchase a file decryption tool, which costs $ 500 USD.
If victims visit the payment site, they will receive an address Bitcoin and the amount they have to pay to recover their files.