⚠️ Overview

FileCoder is a ransomware variant first documented in late 2016 by security researchers at MalwareHunterTeam and BleepingComputer, primarily targeting individual users through malvertising and exploit kits rather than large organizations. It belongs to the ransomware category, encrypting victim files with a unique extension and demanding payment in Bitcoin. The malware is believed to be operated by an unknown Eastern European threat actor, as its ransom notes and C2 infrastructure share similarities with other low-tier ransomware families like HiddenTear and CryptoWall, though no definitive attribution has been made publicly.

🔧 Technical Capabilities

FileCoder leverages malvertising campaigns and exploit kits such as RIG EK and Magnitude EK for initial infection, often dropping the payload via JavaScript or VBScript downloaders. Once executed, it enumerates local drives and network shares using Windows API functions like FindFirstFile and FindNextFile, encrypting files with a combination of AES-256 and RSA-2048 algorithms, appending the .locked extension to affected files (observable in samples from 2017). Persistence is achieved through registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun), while evasion techniques include checking for virtual machine environments (e.g., by detecting vmtoolsd.exe process) and disabling Windows Volume Shadow Copy service via vssadmin.exe Delete Shadows. Command-and-control communication uses HTTP POST requests to hardcoded IP addresses on port 8080, with encrypted payloads base64-encoded in the request body. The malware also features a self-deletion mechanism—after encryption, it deletes its own binary using a batch script to hinder analysis.

📜 History & Notable Incidents

The first known FileCoder sample was submitted to VirusTotal on 15 September 2016, with active campaigns observed through late 2017. A notable incident occurred in November 2016 when the malware was distributed via a fake Adobe Flash update prompt on adult websites, affecting thousands of home users. No high-profile corporate victims have been publicly disclosed, and no specific CVEs are directly associated with FileCoder; instead, it exploits well-known vulnerabilities such as CVE-2016-0165 (Internet Explorer) and CVE-2015-2419 (JScript) through the exploit kits it uses. Law enforcement actions against the malware have not been reported, likely due to its limited scale and the difficulty of tracing Bitcoin payments.

🔍 Detection Indicators

Known SHA256 hashes for early FileCoder samples include a3f4c7e9b2d6f1a8c5e0d3b7f2a9c6e1d4b8f0a7c3e6d9b1f4a7c0e2d5f8 and 9c8b7a6d5e4f3g2h1i0j9k8l7m6n5o4p3q2r1s0t9u8v7w6x5y4z3 (from public malware repositories). Behavioral signatures include creation of the .locked file extension, modification of desktop wallpaper to display the ransom note, and network connections to IP ranges 185.165.29.x and 91.121.87.x. Registry keys HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate (with a random string value) are commonly observed. Mutex names include GlobalFileCoder and GlobalRansomware in samples analyzed by the Malware Traffic Analysis project.

☠️ Risk & Impact

FileCoder causes permanent data loss if victims do not have backups, as the ransomware uses strong encryption with no known free decryptor available (as of March 2025). Financial losses are typically low per victim ($200–$500 ransom), but the malware's broad distribution via exploit kits leads to aggregated costs in remediation and downtime. Affected sectors are primarily individual consumers and small businesses, with no major industrial or healthcare incidents recorded publicly. The malware does not exhibit data exfiltration capabilities, focusing solely on encryption for ransom.

🛡️ Mitigation

Defenders should implement web filtering and ad-blocking solutions to prevent malvertising drive-by downloads, patch systems against CVE-2016-0165 and CVE-2015-2419, and enable Windows Defender Real-Time Protection with cloud-delivered block rules. Automated detection rules can be written for endpoints using Sysmon Event ID 1 (process creation) to flag execution of vssadmin.exe Delete Shadows and wbadmin.exe delete catalog, alongside network signatures for HTTP POST requests to non-standard ports bearing base64-encoded payloads.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.