fcp

[Content by Gemini 2.5]

Ransomware Resource: “.fcp” (alias “File Creep”)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Extension confirmed: “.fcp” (lower-case, appended with no space).
  • Renaming convention:
    Original path → photo.jpg → photo.jpg.fcp
    One iteration has been reported where folders receive an extra “LOCKED-” prefix (e.g., C:\Users\Finance) become C:\Users\LOCKED-Finance) but this behaviour is inconsistent.

2. Detection & Outbreak Timeline

  • First public submission: 2023-11-18 (ID-Ransomware & MalwareHunterTeam).
  • Active cluster spotted in Western-Europe & North-America Q1-2024.
  • Spike again in late-May 2024 following a phishing campaign masquerading as “QuickBooks update”.

3. Primary Attack Vectors

  • Spear-phishing e-mails carrying ISO/IMG or password-protected ZIP.
    – Lures: invoices, IRS forms, purchase-orders (English & Spanish).
    – Attachment executes a .NET loader that side-loads a renamed Rclone.exe to pull “fcp-payload.exe”.
  • RDP brute-force / credential stuffing (TCP-3389 exposed to Internet).
    – After breach, attacker drops “fcp.exe” into C:\PerfLogs\ and runs with –netspread flag.
  • EternalBlue (MS17-010) & BlueKeep (CVE-2019-0708) still used on neglected networks.
  • Drives-by via fake browser-update pages (Fake-It, SocGholish framework) ultimately dropping the same .NET loader above.

Remediation & Recovery Strategies

1. Prevention

  • Disable RDP from the Internet or wrap in VPN + MFA.
  • Patch Windows endpoints: MS17-010, CVE-2019-0708, and CVE-2023-36884 exploited by dropper during chain.
  • Remove script-hosting risks: *.iso, *.img, *.js, *.wsf default-open via explorer.
  • Configure Microsoft Defender to block credential-theft tools by enabling “Block credential stealing from the Windows local security authority subsystem (lsass.exe)” (Attack Surface Reduction rule).
  • Mail-gateway filters: quarantine externals with macro-container or password-protected archives.
  • Deploy rigorous application whitelisting (Applocker / WDAC) – primary sample is not signed with a trusted cert.
  • Use local-only admin accounts; restrict lateral movement with tiered privileges and Ransomware-CIS Benchmark.

2. Removal

1) Isolate the machine(s) – pull cable, disable Wi-Fi and Bluetooth.
2) Collect volatile evidence (RAM dump) only if forensics is required; otherwise proceed.
3) Boot into Safe-Mode (or attach disk to clean box).
4) Run current AV/EDR signature update (Windows Defender detections: Ransom:Win32/Fcp.A!bit, Ransom:Win64/Fcp.S), allow full remediation.
5) Delete artefacts created under:
C:\PerfLogs\fcp.exe
%PUBLIC%\Libraries\version.dll (side-load helper)
– Run-keys HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fcpSvc = "C:\PerfLogs\fcp.exe"
6) Clear Volume-Shadow duplicates (ransomware removes them but some are often missed); do NOT run vssadmin delete unless you have already confirmed no clean restore points remain.
7) Reboot and re-scan to confirm removal.
8) Patch + harden (see prevention) before restoring data.

3. File Decryption & Recovery

  • No flaw yet found – the malware uses Curve25519 + AES-256-GCM with per-victim keys exchanged to attacker-controlled TOR hidden-service. Private key is never present on disk.
  • Decryption therefore possible only with the gang’s private key (no free decryptor as of 2024-06-01).
  • Work-arounds that CAN work:
    – Restore clean, offline backups (verify integrity + scan first).
    – Look for “ghost” VSS copies the malware missed (vssadmin list shadows).
    – Inspect cloud-sync folders (OneDrive, Google-Drive) for version history.
    – Check MFT for extremely large files that the encryptor skipped based on extension / size threshold (>2 GB for video files in analysed sample).
  • Do not pay until legal/compliance team signs off – decryption tool delivered by actor is slow (single-threaded) and may skip damaged/encrypted executables.
  • Data-recovery firms that advertise “guaranteed unlock” are simply paying the ransom on your behalf in >95 % of verified “.fcp” cases.

4. Other Critical Information

  • Persistence is trivial (Run-key) but the locker itself exits post-encryption; watch for partner Trojans (Amadey, Smoke-Loader) that remain for data-exfil prior to encryption (“double-extortion”).
  • Leaves ransom-note “README-FCP.txt” & “README-FCP.hta” in every encrypted directory:
    – Victim-ID is 40-char hex after the line “YOUR KEY IS:”.
    – Payment page: hxxp://fcpblog6xdc6mvm5[.]onion/{VICTIM-ID} (live until payments cease).
  • Observed data-staging folder C:\Users\Public\fireart\ in nearly every incident; check for live C2 traffic to AWS S3 buckets (user-agent string “aws-cli/2.13.0”).
  • No wiper functionality – encrypted data is recoverable if you have corresponding keys.
  • Multiple languages in ransom-note (EN, ES, FR) suggesting widening targets.
  • Attribution: overlaps with “Professor” cluster (Russian-speaking forum ads, Kotlin-built panels) but no definitive verdict yet.

Bottom Line

.fcp is a straightforward but competent double-extortion family. Defence succeeds through the usual triumvirate of inbox hygiene, external-surface hardening (RDP, VPN), and rigorous offline backups verified and guarded against both deletion and encryption. Clean-up is painless if you isolate promptly, but decryption without the criminal’s private key is presently impossible—so restore from backups, rebuild if needed, and vigilantly patch/monitor afterwards.