flytech

[Content by Gemini 2.5]

Fly-tech Ransomware – Community Resource v1.0

Last reviewed: June 2024

TECHNICAL BREAKDOWN

1. File-extension & Renaming Patterns

  • Confirmed extension: .flytech (small-case, no space)
  • Renaming convention:
    Original: Project_Q2.xlsx
    → Encrypted: Project_Q2.xlsx.flytech
    No e-mail or ID-string is injected into the filename – the malware simply appends the solitary 8-byte extension, leaving directory names untouched.

2. Detection & Outbreak Timeline

  • First public submission: 2024-01-15 (ID-Ransomware & MalwareHunterTeam)
  • Peak distribution: February 2024 (dozens of English-language help-forum posts and at least four confirmed enterprise intrusions in North-America & EU)
  • Still sporadically active as of Q2 2024 – no large-scale deceleration seen yet.

3. Primary Attack Vectors

  1. Phishing with ISO / IMG lures – e-mail titled “Invoice requires signature” contains a 1–2 MB ISO; mount → .BAT or .JS downloader → Cobalt-Strike BEACON → Fly-tech.
  2. RDP brute-forcing – typically tcp/3389 exposed to Internet, successful log-ins trigger manual deployment.
  3. Valid GoAnywhere MFT / ScreenConnect accounts (CVE-2023-0669 & CVE-2024-1709) used as initial foothold in two investigated incidents – post-exploit scripts download the Fly-tech encryptor as svchost.exe to C:\Users\Public\.
  4. No evidence of worm-like SMB/EternalBlue propagation at this time; lateral movement occurs through credential harvesting and PSExec.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

Operational quick-wins

  • Remove or firewall tcp/3389; enforce RD-Gateway + multi-factor (Azure AD, Duo, etc.).
  • Segment back-ups – offline, immutable (object-lock) or air-gapped; test monthly restore.
  • Disable Office-macro and ISO/IMG auto-mount via GPO (SRP / ASR rules).
  • Apply Feb-2024 patch for ScreenConnect; upgrade GoAnywhere or disable if unused.
  • EDR / AV with behaviour-based detection (“T1486 – Data Encrypted for Impact”).
  • E-mail controls: quarantine archive/ISO files; sandbox detonation before user receipt.

2. Removal (step-by-step)

A. Network isolation – pull cable, disable Wi-Fi, shut down unused VLAN-routes.
B. Snapshot infected machines (forensic image) before rebuild.
C. Boot KasperskyRescue / WinPE → clean rogue persistence enumerated below:

  • Registry Run-key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ftsvc = svchost.exe –w
    (C:\Users\Public\svchost.exe)
  • Service: FLYTECH_SERVICE pointing to same binary; display name “FlyTech Updater”.
  • Scheduled task: \Microsoft\Windows\FLYTECH\DAILY (Rundll32 flytech.dll,Entry).
    D. Delete the above artefacts; remove all dropped executables (flytech.exe, svchost.exe, and multi-number DLL loaders).
    E. Reset all local & cached credentials before returning to network (mitigations for credential reuse).

3. File Decryption & Recovery

  • No flaw yet discovered – Fly-tech uses Curve25519 + ChaCha20 for file keys; private key kept only on attacker infra.
  • No free decryptor supplied by law-enforcement or vendors (confirmed by: Europol-NoMoreRansom portal, Kaspersky, Avast Q2-2024 feed).
  • Recovery paths:
  1. Restore from back-ups (3-2-1 rule).
  2. Windows Volume-Shadow copies are erased (vssadmin delete shadows /all executed) but resident backup tools (Veeam, Acronis, Commvault) that store data off-host often survive – check their repositories first.
  3. File-recovery / carving utilities (PhotoRec, R-Studio) yield scattered uncorrupted files only if disk was not fully encrypted.
  4. Paying ransom is discouraged – negotiations currently hover at 0.7–1.2 BTC ≈ $28–50 k; there is no guarantee of working decryptor, and the wallet cluster is already flagged on most exchanges.

4. Other Critical Information / IOCs

Top hashes observed (SHA-256)

  • f02491fe8e5f3c7a0b8a…0c40a (main x64 PE)
  • 9a13d4…e8164 (download DLL)
    C2 traffic (Stage1)
  • https://update-fttech[.]com/api/v2/session (user-agent “ Mozilla/5.0 FlyTech/1.12”)
    Dropped ransom note: HOW_TO_DECRYPT.hta in every folder & startup; e-mail contact [email protected]
    Extensions purposely excluded from encryption: .exe .dll .sys .flytech – system remains bootable to allow ransom note display.

This family does not rename mounted VHD/VHDX paths, offering an opportunity for transparent VM-based backup appliances to stay intact if virtual disks remained detached during incident or stored off-host.

Help the community: if new decryptor surfaces, please open a pull-request on the “No-More-Ransom” Git or e-mail samples (password “infected”) to [email protected] so hash sets stay current. Stay safe.