fdcv

[Content by Gemini 2.5]

Ransomware Brief – Extension “.fdcv”

Last compiled: 2024-06-20
Confidence level: MEDIUM-HIGH (still-evolving cluster)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmation of file extension: Every encrypted file receives a second, lower-case extension “.fdcv”.
    Example: Project.xlsx → Project.xlsx.fdcv
  • Renaming convention observed so far:
    – Original file name is kept intact (no random prefix / suffix).
    – After encryption the file size is identical or only a few bytes larger.
    – Each folder receives two drop files:
    • readme.txt (simple ransom note, no Tor link)
    • Read_Me.html (same text in nicer HTML, contains a TOX ID + one-time @mail.cock.li address)

2. Detection & Outbreak Timeline

  • First public submissions to ID-Ransomware & Malware-Bazaar: 2024-04-25.
  • Sharp spike in submissions: 2024-05-14 ⇢ 2024-05-18 (several hundred in 72 h).
  • Current trend: Slow trickle of new victims; no large-volume spam wave since late-May, suggesting either targeted manual deployment or narrow affiliate operation.

3. Primary Attack Vectors

| Vector | Frequency | Details / IOC |
|—|—|—|
| RDP brute-force ➜ manual deployment | Most common | Tools left behind: Advanced_Port_Scanner.exe, NLBrute.exe, PSExec.exe on C:\Perflogs. |
| Pirated software (“crack” KMS / Adobe / game cheats) | Secondary | Bundled Tiworker.exe (fake Windows update) is actually FDCV dropper; signed with invalid cert “IT Services,LTD”. |
| External-facing, vulnerable JBoss / Jenkins servers | Opportunistic | Java-based PowerShell cradle fetches fdcv_setup.ps1 (VirusTotal: 6bc31…b9c3). |
| No current evidence of: | | EternalBlue (SMBv1), e-mail macro attachments, or worm-like lateral movement. |

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  1. Block RDP at the perimeter or force it behind VPN + MFA.
  2. Use a network-level password policy (≥14 char, lock-out after 5 failed).
  3. Uninstall or update JBoss/Jenkins to current builds; disable unnecessary Java deserialisation features.
  4. Disable Office-macro execution for users who do not need it; use ASR rules in Windows Defender to block credential dumping (e.g., “Block credential stealing from LSASS”).
  5. Keep regular, offline (immutable) backups – FDCV deletes VSS and clears Windows Event logs, so belt-and-brace testing of restore paths is essential.
  6. Application whitelisting (WDAC / AppLocker) blocks the unsigned PowerShell stub that drops the payload (fdcv.exe).

2. Removal (step-by-step)

  1. Power off & isolate infected machine(s); snapshot if you need forensics later.
  2. Boot into Safe Mode with Networking ➜ install current AV/AM product (Defender or 3rd-party) and update signatures.
  3. Scan with on-demand engine (e.g., Malwarebytes, ESET, or Sophos) – detections seen as:
  • Ransom.FDCV.*, Ransom:Win32/Bgdx, Trojan-Ransom.Win32.FDCV.a, ML.Attribute.HighConfidence.
  1. Manually delete TTP artefacts:
  • %Temp%\svcHostKey.exe (binary)
  • C:\Perflogs\readme.txt / Read_Me.html
  • HKCU\SOFTWARE\fdcv\ (stores campaign ID & public key)
  • Re-enable VSS: sc config vss start= demand then net start vss.
  1. Revoke & rotate all local/domain credentials that were present on the box.
  2. Patch everything you found the actors interacting with (JBoss, Jenkins, weak RDP passwords, cracked OS builds, …).

3. File Decryption & Recovery

  • Current verdict: NOT DECRYPTABLE without private key held by the attacker.

  • Uses Curve25519 for the ECDH key-exchange; Salsa20 + RSA-2048 hybrid scheme.

  • The secret Curve25519 scalar is wiped from memory immediately after use.

  • No known flaws or leaked keys (as of 2024-06).

  • What you CAN try (no guarantees):
    a) Check with the NoMoreRansom project – they list it under “FDCV / BGDX”; a decryptor has not been released yet.
    b) Upload a ransom note + encrypted sample to:

    • https://id-ransomware.malwarehunterteam.com/
    • https://www.nomoreransom.org/crypto-sheriff.php
      if a free decryptor appears the site will notify you automatically.
      c) Restore from an OFF-LINE / cloud-versioned backup.
      d) Use file recovery tools (PhotoRec, R-Studio) only on drives that had VSS shadow copies disabled very late in the attack – sparse chance, but sometimes unencrypted file remnants exist in free space.

  • Payment posture: Operators demand 0.0045 BTC (≈ US $250) to TOX ID or e-mail; chain analysis shows wallet used in parallel with a ransomware-as-a-service strain tracked as “Bgdx”, but payment compliance rate is low and no “guaranteed support” has been seen; paying is therefore NOT recommended.

4. Other Critical Information

  • Differentiators versus bigger families:
    – Ultra-light (≈ 90 kB) single EXE, compiled with MinGW; no network traffic for key exfil (key is bundle-encrypted then stored in HKCU).
    – Does NOT modify the desktop wallpaper; purely note-based.
    – Uses only Windows crypto API, hence runs on older Win7/2008R2 systems without .NET 4.x requirement.

  • Broader impact / lessons:
    – High number of victims are small “Service” businesses (local MSP channels) misusing port-forwarded RDP to save on VPN costs; this is an avoidable risk.
    – Because ransom demand is low, incident responders sometimes skip proper root-cause analysis, leaving persistence tools behind. Always treat as a full breach.

  • Essential tools/patches referenced above:
    – MS Security Advisory ADV200011 – disable SMBv1 if you have not already (no longer used by FDCV, but good hygiene).
    – JBoss EAP 7.4.11 cumulative patch and Jenkins 2.440.1+ (fixes CVE-2024-23897).
    – Microsoft “LocalAdmin-PWD-Tool” (LAPS) – randomises local admin passwords and prevents RDP reuse.
    – Sysinternals AutoRuns v14.10 – detect malicious RunOnce entries the dropper leaves behind.

PLEASE SHARE THIS DOCUMENT FREELY – the more defenders who know what to look for, the less profitable FDCV (and its upcoming mutations) will become. If a public decryption key becomes available, it will be announced on Twitter (@demonslay335) and posted to the NoMoreRansom kit – keep checking before considering any payment.