New macOS Ransomware Locks Your Data, Forgets the Key and Encrypts Your Files Forever

Author Photo
Feb 23, 2017
29Shares
Share Tweet Submit

Ransomware is becoming one of the most popular tools being used by cybercriminals. A report last week suggested that Android ransomware attacks have grown over 50% in just one year. Security researchers have now discovered a new ransomware family “Patcher” that is targeting macOS users. This new Mac ransomware is written in Swift and is distributed via BitTorrent distribution sites.

Mac ransomware locks your data – forever

Security researchers at ESET have discovered a new Mac ransomware campaign that is spotted being distributed via torrent files that advertise license crackers for applications like Adobe Premiere Pro or Microsoft Office for Mac.

Related Ransomware Targets Ohio Government Crippling Computer & Phone Systems – “Clock Still Works” Though

Most of the ransomware we have seen so far targets Windows and Android devices. However, Linux and macOS have also seen their own small share of ransomware campaigns designed exclusively for them. If it’s any consolation, the new Mac ransomware is very poorly coded.

Once a user downloads and unzips these ransomware files that are disguised as crackers, they get a binary file with a name ending in the “Patcher” string. When these files are executed, a window with no background pops up. A little confusing, but there is a Start button that initiates the file encryption process.

It copies a file called README!.txt all around the user’s directories such as “Documents” and “Photos”.

Then the ransomware generates a random 25-character string to use as the key to encrypt the files. The same key is used for all the files, which are enumerated with the find command line tool; the zip tool is then used to store the file in an encrypted archive.

Related Remember Malware Campaign Targeting Chrome Users? Now Encrypts Victim Data with Ransomware

Finally, the original file is deleted with rm and the encrypted file’s modified time is set to midnight, February 13th 2010 with the touch command. The reason for changing the file’s modified time is unclear. After the /Users directory is taken care of, it does the same thing to all mounted external and network storage found under /Volumes.

The instructions for the victims are hardcoded in a Readme file, which means that the Bitcoin address and email address are always the same for every victim. While this may confirm this isn’t the most sophisticated piece of ransomware, but there is a bigger problem.

Patcher doesn’t send the encryption key to any server, which means those behind this Mac ransomware have no way of decrypting your files even if you pay the ransom. It is also impossible to make a brute force attack since the encryption key is too long. So, backup is your best bet.

“This new crypto-ransomware, designed specifically for macOS, is surely not a masterpiece,” researchers wrote in a blog post. “Unfortunately, it’s still effective enough to prevent the victims accessing their own files and could cause serious damage.”

Share Tweet Submit