A New MacOS ransomware spotted in the wild

  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Researchers have recently found a new file-encrypting ransomware for MacOS which is being distributed through the bittorrent websites and the users who fall victim to it will not be able to recover their data even if they pay the ransom.

Generally, the Crypto ransomware programmes for MacOS are rare. This is the second one we found so far in the wild and also it is written and designed poorly. This malware has been named OSX/Filecoder.E after the malware researchers from the antivirus vendor ESET who discovered it.

The OSX/Filecoder.E masquerades is a cracking tool for commercial software like the Microsoft Office and the Adobe Premiere Pro CC for Mac and it is being distributed in form of a BitTorrent download. It is now written in the Apple’s Swift programming language by what seems to be an inexperienced developer, judging from the chunk of mistakes he has made in the implementation.

The application installer is also not signed with a developer certificate which is generally issued by the Apple, this makes the installation of the malware harder on recent OS X and MacOS versions, as users has to override default security settings.

The main problem with this malware is with the way it encrypts the files. It generates a single encryption key for all the hidden files and it then stores files in an encrypted zip archive. But the malware does not send the encryption key to the attacker before distroying it, killing our last hope to recover our data.

This means that even if the victims follow hacker’s instructions on how to pay ransom, they won’t get their files back. The encryption appears to be strong, so it cannot be cracked using alternative means either.

“The random ZIP password is generated with arc4random_uniform which is considered a secure random number generator,” the ESET researchers said in a blog post Wednesday. “The key is also too long to brute force in a reasonable amount of time.”

 

The following two tabs change content below.

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

William Fieldhouse

I currently work full time as a penetration tester and have been involved within the IT security industry for over a decade. I also love to pioneer any forms of new technology and ideologies for future advancements. Feel free to contact me at [email protected]

Leave a Reply