Filecoder – This Ransomware Spreading Through The Torrent Websites Targets Mac Users.

Ransomware, Threat

A new form of crypto-ransomware for MacOS has been discovered in the wild that makes it impossible for the victim to recover the data even after they pay up. The ransomware is currently been distributed via BitTorrent distribution sites. The security vendor ESET discovered the threat as Filecoder.

Discovered earlier last week, the researchers claim, because of ransomware’s poor design victims may not be able to recover their data even if they pay up.

Written in Swift, there is one big problem with this ransomware. It doesn’t have any code to communicate with any C&C server. This means that the decryption key cannot be sent to the infected machine to decrypt the file.

The ransomware is currently distributed as fake application “Patchers” – it disguises as a cracking tool for commercial software.

The researchers noticed a couple of fake Adobe Premiere Pro CC and Microsoft Office “Patchers” for Mac and suspected much more to come out at the earliest.

The downloaded Torrent contains a single ZIP file – an application bundle. When the users run the application to crack commercial software, the user is provided with a transparent “start” window.

Clicking the start button launches the encryption process. It also copies a file dubbed README!.txt all around the user’s folders such as “Documents” and “Photos”. The file README!.txt contains instruction for the victim.

Once all the files are encrypted there is code that tries to null all free space on the root partition. However, it is not done thanks to the bad codes.

Since the ransomware does not communicate with command and control infrastructure, the encryption key is not sent to the CC Server. This makes quite impossible for the ransomware operator to send the decryption key back to the victims once the ransom is paid up.