Mac users enjoy, FindZip macOS Ransomware decryption tool is available online for free

Great news for macOS users who were infected by the FindZip macOS ransomware, Avast released a decryption tool for free.

Good news for macOS users who were infected by the FindZip ransomware, now a decryption tool was released online for free.

The FindZip macOS ransomware was spotted last month by researchers at ESET, it is tracked as OSX/Filecoder.E.

The ransomware, written in Swift, was distributed via BitTorrent distribution sites and calls itself “Patcher”, ostensibly an application for pirating popular software. FindZip ransomware OSX/Filecoder.E MAC OS ransomware,

The first release was not complete, the victims were not able to recover their files, even if they pay the ransom.

For this reason, security experts were inviting victims of the ransomware to avoid paying the ransom.

Due to coding errors, the malicious code was destroying the encryption key before sending them to the command and control server.

FindZip was born after an update to Apple’s XProtect signatures started calling it FindZip soon after. The new threat masquerades itself as cracks for Adobe Premier Pro and Microsoft Office, and also feature signed certificates.

The number of ransomware developed to target macOS user is low, FindZip is the second strain of malware designed with this purpose.

The excellent news is that victims of the FindZip macOS ransomware now have the opportunity to recover their files for free thanks to the experts at the security firms Malwarebytes and Avast.

A couple of weeks ago, experts from Malwarebytes Labs researchers published the instructions to restore data encrypted by the FindZip macOS ransomware.

The procedure uses the following elements:

Xcode or TextWrangler
Xcode command-line tools
pkcrack source code
One unencrypted file and the corresponding encrypted file

The process also requires a second account on the infected.

The process has been automated later by experts from Avast who developed the FindZip decryption tool. Victims can decrypt their files on either a Mac or a Windows machine by using the tool.

“MalwareByte already published a technical analysis of FindZip, as well as a description of the decryption process. However, because the instructions described by MalwareBytes may be complicated for some, we created a more user friendly decryption application.” reads a blog post published by AVAST.

“The FindZip decryption tool is available on our free ransomware decryption tools page, along with all of our ransomware decryption tools.”

The tool was successfully tested on macOS 10.10 (Yosemite) and macOS 10.12 (Sierra).

Victims that decide to copy the encrypted files from their infected Mac to a Windows system, using the Avast decryptor should be straightforward and they don’t need to install any other software.

The researchers explained that on Mac or Linux, the users need an emulation layer for Windows and the tool works with CrossOver and Wine. The researchers at Avast confirms that other emulation programs might work as well.

Victims have to install a windowing system for Mac, such as XQuartz, which allows the execution of Wine for Mac.

“Important note: If you already had Wine installed prior to being infected with the ransomware, the entire Wine configuration is probably encrypted. In that case, you need to delete the folder \Users\<YourUserName>\.wine before running the decryptor application.” continues the post.

Enjoy the tool!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – FindZip macOS ransomware, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.