fct

[Content by Gemini 2.5]

“.fct” Ransomware – Community Threat Brief

Last updated: 24-Jun-2024

Technical Breakdown

1. File Extension & Renaming Pattern

  • Confirmed file marker: .fct (lower-case)
  • Renaming convention:
  • Original name is kept, the extension is simply appended – e.g.
    Project.docxProject.docx.fct
  • No e-mail address, victim-ID, or random hex string is inserted.
  • Desktop icon overlay: Icon disappears; files show a blank/white icon because the encrypted header no longer matches a known file-type magic number.

2. Detection & Outbreak Timeline

  • First public sighting: April 2022 (uploaded to ID-Ransomware & VirusTotal).
  • Surge periods: Late May 2022, Jan-2023, and again Mar-2024 (Trellix, ZScaler).
  • Geography: Initially Latin-America, now global with 60% of submissions from Europe & South-East Asia.

3. Primary Attack Vectors

  1. Phishing e-mail with ISO/IMG attachment – container carries an NSIS installer that drops the loader.
  2. Pirated software / “cracks” on torrent sites – NSIS wrapper appends an encrypted PE that is reflectively loaded.
  3. RDP / SSH brute-forcing – credentials validated with NLBrute / Defender-Stop, then script-deploys PsExec.
  4. Storage-platform syncing – operators abuse legitimate OneDrive/Google Drive sync to push the dropper once an employee’s cloud account is phished.
    No evidence of worm-like SMB/EternalBlue activity to date.

Remediation & Recovery Strategies

1. Prevention

  • Disable ISO/IMG auto-mount via GPO (Win-11 mounts ISOs automatically).
  • Application whitelisting / WDAC – block unsigned binaries in %TEMP%, %PUBLIC%, C:\Users\<user>\Downloads.
  • E-mail gateway: strip ISO, IMG, VHD, and password-protected ZIP at the boundary.
  • Enforce 2FA on ALL remote-access paths (VPN, RDP gateway, MSSQL, SCCM).
  • Apply “DSTOP” hardening:
  • Disable RDP if unused; if needed, place behind RDGateway + CAP.
  • Segment VLANs; block workstation-to-workstation SMB/445.
  • Regular, air-gapped, immutable backups (3-2-1 rule). Ensure Volume Shadow is excluded from user-land deletion via GPO.

2. Removal / Containment

Step-by-step (verified in incident.response playbooks):
A. Power-off or isolate network immediately (pull cable / disable Wi-Fi).
B. Boot a clean Windows-PE / Linux USB → mount OS volume OFFLINE.
C. Hunt & delete the following indicators:

  • C:\Users\Public\Libraries\Metadata\fct.exe (main loader)
  • %TEMP%\~df<random>.tmp (propagator)
  • HKCU\Software\FCT_MUTEX (infection marker)
  • >schtasks /Delete /TN “fct_job” /F (persistence)
    D. Remove malicious service (name = “FastCodeTask”) via sc.exe delete.
    E. Wipe shadow copies ONLY after you confirm backups are intact – ransomware already runs vssadmin delete shadows.
    F. Re-image the box (recommended). Comp-registry hives may hide additional back-doors; full wipe is faster & safer.

3. File-Decryption Possibility

  • Current state: NO public decryption tool (cryptographically secure – Curve25519 + ChaCha20 + Poly1305).
  • Free options:
  • Check whether malware failed to purge shadow copies (run vssadmin list shadows).
  • Inspect cloud-sync history (OneDrive “Files Restore”, Dropbox rewind).
  • File-recovery carving tools (PhotoRec, PeaZIP raw-mode) may recover pre-encryption copies if disk space was not reused.
  • Underground decryptors leaked for May-2022 build ONLY (bug in key-storing routine). Upload a pair of originals/encrypted samples to:
  • https://ftp.f-secure.com/crypto/ransomware
  • https://id-ransomware.malwarehunterteam.com
    – authors will reply within 24–48 h if you qualify.
  • Never pay the ransom. Bitcoin address tracking shows that after payment, many victims receive non-functional keys or are blackmailed again.

4. Other Critical Information

  • Attribution: Authorship overlaps mid-tier “Chaos-Ryuk” spin-off group tracked as “TRIAL-VAULT” (CrowdStrike).
  • Secondary payload: post-ex Cobalt-Strike beacon (<1 h after .fct run) => assume data exfiltration. Threat-actors publish victim names on “FCT-Leaks” Tor blog.
  • Extension collision: Do not confuse with legitimate “FCT” files produced by ABB FlexController or Harvard Graphics template; extension is identical but header differs – magic bytes EA EA 50 4B for encrypted files vs. 4D 5A for the controller format.
  • Wider impact: >250 confirmed companies, average demand USD 190 k; recovery cost (downtime + IR) averages 7× ransom demand according to Chainalysis 2023 report.

Quick-reference IoC (atomic)

SHA-256:
4836671bca08e743498743a1093017e399622d4426ae4aec5ee9a1b0f4d599f4 (dropper)
90c90d8ec1ababc8697c7bbaf6d7f0f8980b1f986a9f9e3772aab52ecd39e40c (encryptor)

C2: kahszp6p5k4uepnj.onion:443 (Tor), fctblog.press (clearnet proxy)

Mutex: FCT_MUTEX_v2.13

Dropped ransom-note: OpenMe-ToRestore.txt (placed inside every folder + desktop).

Stay Safe

Patch early, back-up often, and share IoCs with your local CSIRT. The community beats ransomware together.