New mac crypto-ransomware has no decryption ability so paying is pointless

A new macintosh ransomware variant found packaged in software supposed to ‘crack’ or give you access to free editions of paid software, has no ability to decrypt the files it has encoded. While an infected mac user might make a payment, that there is no way to get your files back makes such a payment useless.

While most crypto-malware targets the Windows desktop, we have Linux and macOS machines being compromised by ransomware during 2016 with, for example, KillDisk on Linux and KeRanger going after Mac OS-X.

Where this new malware is found…

Since last week, a new Mac crypto-ransomware has been found in multiple places. This new ransomware, written in the programming language Swift, is being distributed via BitTorrent sites and calls itself a software “Patcher”, masquerading as an application for pirating popular software such as Adobe Premiere Pro and Microsoft Office 2016.

According to researchers at ESET, instructions for the victims in the README!.txt files are hardcoded inside the Filecoder, meaning that the Bitcoin address and email address are always the same for every victim running the same sample. The message and contact details were the same in both samples they analyzed.

MacOS Crypto-Malware found with no decryption ability - Paying the Ransom is Pointless!

MacOS Crypto-Malware found with no decryption ability – Paying the Ransom is Pointless!

Unsophisticated Malware with no solution

There is a huge problem with this ransomware app: it doesn’t have any ability to communicate with a command and control (C&C) server. Unfortunately, this means that there is no way the key that was used to encrypt the files can be sent to the malware operators for decryption.

Paying the ransom in this case will not get back your files. That’s one reason we would advise victims to never pay the ransom when hit by ransomware variants.

Unfortunately, the random ZIP password is generated with arc4random_uniform which is considered a quite secure random number generator. The key is also too long to brute force in a reasonable amount of time.

Decryption of files encypted by this ransomware is basically not possible.

ESET products detect this threat as OSX/Filecoder.E.

Ready for the right solutions?

It’s time to offload your technology troubles and security stress.

"*" indicates required fields