MacOS Ransomware Decryption Tool Issued

Wednesday, March 15, 2017 @ 06:03 AM gHale


There is now a easier decryption tool for macOS users that had their systems infected with the FindZip ransomware.

The ransomware looks like Adobe Premier Pro and Microsoft Office, and also features signed certificates, though not by Apple.

RELATED STORIES
Ransomware’s Plan of Attack
New Messy Mac Ransomware
Updated Ransomware Includes RaaS
New Ransomware as a Service Starts Up

FindZip is a destructive piece of malware as researchers said victims had no way of recovering their files, because the malware was destroying the encryption key before attempting to communicate with the command and control server to send it to the attacker.

Because of that, researchers said users should not pay the ransom, as the attackers had no means of restoring encrypted files.

While the attackers will not restore the system, Malwarebytes Labs researchers first wrote how victims could restore their data using Xcode or TextWrangler, Xcode command-line tools, pkcrack source code, and both the encrypted and unencrypted versions of a file. While it was not easy, it was possible to fix the issue. A second computer or a different account on the compromised machine was mandatory, along with some technical knowledge.

The fixes didn’t stop there as Avast issued a FindZip decryption tool, however, things are a bit simpler, and users can decrypt their files on either a Mac or a Windows machine.

In fact, those victims who port their files from a Mac to Windows won’t need additional resources to install and use the decryptor, the researchers said in a blog post.

On Mac or Linux, an emulation layer for Windows applications is mandatory. As such, researchers tested the tool with CrossOver and Wine, though Avast said other emulation programs might work as well. The decryption tool ended up tested on macOS 10.10 (Yosemite) and macOS 10.12 (Sierra).



Leave a Reply

You must be logged in to post a comment.