Password

[leardinet]

I didn't understand how to recover the password.

What procedure should I do?

non ho capito come recuperare la password.

Che procedura devo fare?

[Gabriele-Pippi]

HI leardinet,

the tool was designed to be used together with an IDS, IPS or NSM. In real cases where we used it the password was intercepted through Suricata with dedicated signatures. Obviously in retrospect it is not possible to recover the password.

Anyway the new versions of FTCODE no longer send the password in plain text.

Sorry,

GP.

[leardinet]

Thanks, so at the moment there is no solution to decrypt the files?

[Gabriele-Pippi]

It is not possible to crack a 1024 bit RSA key within a reasonable time:

https://www.sjoerdlangkemper.nl/2019/06/19/attacking-rsa/

However with powershell 3.0+ through advanced options it is possible to recover the plain-text key from the Windows event logs, to do this it is necessary to act in the prevention field. Obviously also in this case it is necessary to set everything up before the ransomware is executed.

[pasqmall]

So, I understand that the password can be intercepted ONLY in a preventive way? it's correct? once the pc is infected, is it not possible to intercept the correct password? did I get it right?

[Gabriele-Pippi]

Hi padqmall , yes you got it right!

With configurations and default software it is not possible to recover the values. Installing Windows Management Framework 3 (by default from windows 8), disabling powershell 2 and enabling Module Logging for Windows.Powershell.* it is theoretically possible to recover the password and credentials accessed by the new FTcode version.

[pasqmall]

Meanwhile, thanks a lot for the answer, returning to the problem, I understand that for PCs already infected, there is no recovery solution, configuring an IPS system helps if you come into contact with ftcode in the versions where the password is sent in 'clear', I confirm that for currently encrypted files there is no hope? Thanks so much Pasquale