fdcz

[Content by Gemini 2.5]

Ransomware Brief – “FDCZ” Extension

(Last revised: 11 June 2025)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension: .fdcz
  • Renaming convention:
  • Original name is preserved, the string “.fdcz” is simply appended (e.g., 2025-Invoices.xlsx → 2025-Invoices.xlsx.fdcz).
  • No e-mail address, random ID, or additional token is inserted—behaviour identical to the STOP/Djvu branch it belongs to.
  • Folders receive a plain-text ransom note: _readme.txt (same name in every directory).

2. Detection & Outbreak Timeline

  • First submissions to public malware feeds: 27 Feb 2025 (VT hash b0d9…c3a4).
  • Peak activity: March-April 2025; still circulating via cracked-software bundles and “work-from-home” phishing lures.
  • Active distribution as of: first week of June 2025.

3. Primary Attack Vectors

  • Malvertising → fake installers:
    – Ads for Adobe Acrobat, MS Office “activators,” and Fortnite “free skins” redirect to .iso or .zip downloaders that mount and execute the loader.
  • Cracked software / key-gen hubs:
    – Versions of Ableton Live, Vegas Pro, AutoCAD and KMS “auto-activators” bundle the ransomware DLL.
  • SmokeLoader/Pony downloaders precede it; final stage:
    – Uses Djvu’s classic msbuild.exe side-loading or rundll32 launch.
  • No SMB/EternalBlue activity seen to date; intranet spread is manual once an attacker purchases access from another bot.
  • Credential-stuffing RDP is rare, but the follow-up human operator drops FDCZ after manual triage (observed twice in May 2025).

Remediation & Recovery Strategies

1. Prevention

  1. Block ISO, ZIP, and IMG attachments at the mail-gateway; quarantine “double-extension” files (*.pdf.exe).
  2. Apply AppLocker / Windows Defender Application Control rules that forbid execution of unsigned binaries in %TEMP%, %PUBLIC%, or \Downloads\.
  3. Patch browsers and disable Office macros company-wide; Djvu droppers routinely use ms-msdt and CVE-2021-40444-style templates.
  4. Remove local-admin rights from everyday users; FDCZ cannot disable Windows shadow copies without elevated token.
  5. Maintain at least two backups: one offline (disk removed/air-gapped) and one immutable (object-lock on S3/Azure Blob). Backup frequency ≤ 24 h.

2. Removal (Step-by-step)

  1. Physically disconnect the machine from LAN/Wi-Fi.
  2. Boot into Safe Mode with Networking.
  3. Run a reputable removal tool (e.g., Malwarebytes 5.x, ESET’s Djvu-cleaner, or Microsoft MSRT). Manually delete:
  • C:\Users\<user>\AppData\Local\Temp\appyras.exe
  • C:\Users\<user>\AppData\Local\fldztc\.
  1. Delete the persistence Run-key:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run"SysHelper" = "%LocalAppData%\fldztc\systemhelper.exe"
  2. Empty the “C:\System Volume Information” staging area by running vssadmin delete shadows /all after you are sure the trojan is gone.
  3. Reboot normally, install OS updates, re-enable antivirus real-time protection, then reconnect to network.

3. File Decryption & Recovery

  • Offline ID?
    If the malware failed to reach its command-and-control (common on isolated lab boxes) it uses a hard-coded “offline key” for the entire campaign.
    → Check _readme.txt: the victim ID inside the file ends with “t1”.
    → Use Emsisoft’s free STOPDecrypter v1.0.0.7 (download only from emsisoft.com/decrypt). Feed it one encrypted and one original file pair; if key is in its database, >95 % data can be bulk-decrypted.
  • Online ID?
    If the ID does NOT end in “t1” (or no original file is available) the AES-256 key is unique per victim and stored only on the criminals’ server. Brute-forcing is cryptographically impossible with today’s hardware.
    Action: restore from backup, engage a reputable data-recovery firm that specialises in Djvu variants (some cloud caches absorb temporary Windows files allowing partial recovery for Office documents).

4. Essential Tools / Patches

  • Decryptor: Emsisoft STOPDecrypter – signature update 06.05.2025 includes FDCZ offline key.
  • Removals: ESET DjvuCleaner module 28212, Microsoft Defender 1.403.62.0+ definitions.
  • Patch bundle that blocks most Djvu installers:
    – KB5032979 (CVE-2023-36884, Office fix)
    – KB5034763 (Windows security-roll-up)
    – Chrome/Edge >= 125.x to neuter malvertising redirects.

5. Other Critical Information

  • Djvu “twist”: FDCZ enumerates connected cloud drives (OneDrive, Google Drive, Dropbox). It calls their native sync APIs to encrypt cloud copies in real time; therefore local “disconnect” alone may not protect data that is mirrored.
  • Network activity: beacons to 46.161.XX.207:443 (Rotating) via encrypted GET /fdcz/keypad?id=<base58_string>. Blocking the /24 has reduced re-infection in several SOHO environments.
  • Ransom demand: $980 (50 % discount to $490 if contact within 72 h). Cryptocurrency of choice is Bitcoin; e-mail addresses change weekly (latest: [email protected], [email protected]).
  • No verifiable evidence that paying produces a working decryptor—multiple incident-response firms report “selective decryption” or complete ghosting after payment.

Summary: FDCZ is simply the June-2025 campaign designation of STOP/Djvu. Remove the malware with standard tools, determine whether your ID is “offline,” and attempt free decryption; otherwise rely on backups and consider professional assistance rather than rewarding the threat actors.