When responding to a ransomware incident, it is wise to also change all the passwords for employees who used the affected computers, to prevent the attacker from abusing stolen credentials to cause more damage. Always keep anti-virus solutions up to date. When deploying security solutions for the enterprise, consider using an EDR (endpoint detection and response) solution side-by-side with AV products. Utilizing an EDR solution or an MDR (managed detection and response) can detect advanced threats using Windows system binaries and scripts that aren’t detected by anti-virus, and quickly respond to stop the threats before they spread too far. Many forms of ransomware also seek out network attached drives when encrypting files; backups should be done periodically and stored offline in a secure location. PowerShell scripts like this can be logged by enabling PowerShell module logging, script block logging, and transcription through Group Policy. FireEye has a great guide on how to enable this and how to deal with the required space at https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html. Luckily, FTCode also ships with a kill switch. If the file “C:\Users\Public\OracleKit\w00log03.tmp” exists on the victim’s machine, FTCode will exit before encrypting any files. Source: https://www.bleepingcomputer.com/news/security/ftcode-ransomware-now-steals-saved-login-credentials/