Filecoder is the new MacOS ransomware distributed through bittorrent

A few days ago experts at antivirus firm ESET spotted a new MacOS ransomware, a rarity in the threat landscape, but it has a serious problem.

Malware experts from antivirus vendor ESET have discovered a new file-encrypting ransomware, dubbed OSX/Filecoder.E, targeting MacOS that is being distributed through bittorrent websites.“Early last week, we have seen a new ransomware campaign for Mac. This new ransomware, written in Swift, is distributed via BitTorrent distribution sites and calls itself “Patcher”, ostensibly an application for pirating popular software.” reads the analysis published by ESET.

The bad news for the victims is that they will not be able to recover their files, even if they pay the ransom.

MacOS ransomware is not common in the threat landscape, this is the second such malware discovered by the security experts after the researchers spotted the Keranger threat in March 2016.

The OSX/Filecoder.E MacOS ransomware masquerades itself as a cracking tool for commercial software like Adobe Premiere Pro CC and Microsoft Office for Mac. The fake cracking tool is being distributed as a bittorrent download.

The malware researchers noted that the ransomware is written in Apple’s Swift programming language and it appears to be the result of the work of a novice Vxer.

The MacOS ransomware is hard to install on the last OS X and MacOS versions because the installer is not signed with a developer certificate issued by Apple.

The OSX/Filecoder.E MacOS ransomware generates a single encryption key for all files and then stores the files in encrypted zip archives. Unfortunately, the malicious code is not able to send the encryption key to the C&C server before being destroyed, this makes impossible the file decryption.

The experts highlighted that implementation of the encryption process is effective and makes impossible to crack it.

“There is one big problem with this ransomware: it doesn’t have any code to communicate with any C&C server. This means that there is no way the key that was used to encrypt the files can be sent to the malware operators.” continues the analysis.

“The random ZIP password is generated with arc4random_uniform which is considered a secure random number generator,” “The key is also too long to brute force in a reasonable amount of time.”

At the time I was writing, the monitoring to the bitcoin wallet address used to receive the payment of the victims revealed that none has paid the ransom.

Experts believe that the crooks behind OSX/Filecoder. E are likely interested in scamming the victims instead of managing a botnet.

“This new crypto-ransomware, designed specifically for macOS, is surely not a masterpiece. Unfortunately, it’s still effective enough to prevent the victims accessing their own files and could cause serious damage.” closed the analysis.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – OSX/Filecoder.E MAC OS ransomware, Apple)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.