New crypto ransomware dubbed Filecoder is stalking macOS users, ESET researchers warn.
Masquerading as an application for cracking/patching legal copies of Adobe Premiere Pro and Microsoft Office for Mac (and possibly other pricy software), the malware is distributed via BitTorrent distribution sites.
Not a masterpiece, but still destructive
Users who download a ZIP file (application bundle) containing the ransomware and run it, will be faced with a window and a “Start” button which they are instructed to press in order to crack the software. Unfortunately for them, pressing the button triggers the encryption process in the background.
The malware drops the ransom note on the system, generates a random 25-character string to use as the encryption key, starts enumerating and encrypting files found in the /Users directory and mounted external and network storage, and finally deletes the original versions of the files.
The dropped ransom message instructs victims to buy 0.25 BTC, send it to the crook’s Bitcoin wallet, and keep their computer connected to the internet for the next 24 hours so that the files can be decrypted.
But this promise is empty: Filecoder cannot communicate with a C&C server, which means that the crook didn’t received the encryption key and can’t, therefore, decrypt victims’ files.
“Alas, the random ZIP password is generated with arc4random_uniform which is considered a secure random number generator. The key is also too long to brute force in a reasonable amount of time,” the researchers noted.
As the address of the crook’s Bitcoin wallet is known and always the same, it’s easy to see that, so far, no one has paid the ransom.
In general, paying ransom for encrypted files is a tricky proposition, as there is no guarantee you’ll get your files back. In this case, not getting the files back is guaranteed.
This piece of malware is obviously not a technical masterpiece, and fails to do some of the things it attempts to do, but unfortunately it encrypts files very well.
Source: Help Net Security – News @ February 23, 2017 at 12:32AM