The FTCode Ransomware has undergone some development and is now fit to harvest credentials from browsers and email clients. Being fully developed in PowerShell allows it to encrypt its targets’ devices without having to download additional components, while also making it very easy for its developers to add new functionality.
The newly added info stealer functionality allows FTCode to harvest and exfiltrate the stored credentials before encrypting its victims’ files. Credentials stored in both web browsers (Internet Explorer, Mozilla Firefox, Google Chrome) and email clients (Mozilla Thunderbird and Microsoft Outlook) are stolen by FTCode.
The FTCode ransomware arrives on its victims’ computers via spam emails containing malicious Word documents camouflaged as invoices, document scans, and resumes, which will drop the JasperLoader malware downloader and then encrypts the device.