ftcode

FTCode is a ransomware family first observed in 2013 as a PowerShell-based threat and later resurfaced in September 2019 with enhanced capabilities. It is notable for being fileless, executing entirely in memory using PowerShell scripts, which allows it to evade traditional antivirus detection. FTCode is commonly delivered via malicious email campaigns, often using phishing attachments such as Word documents with embedded macros that execute the ransomware script. It encrypts files using the AES algorithm and appends the .FTCODE extension, leaving ransom notes instructing victims to contact the operators via email. Later variants added capabilities such as stealing credentials from browsers and email clients. FTCode campaigns have been observed globally, with a focus on Europe, particularly Italy.