Decryptor for MacOS Ransomware

Wednesday, March 1, 2017 @ 01:03 PM gHale

There is now a tool that can decrypt a new piece of ransomware that targeted Mac users.

Filecoder, aka Findzip, was able to encrypt victims’ files, but it doesn’t send the encryption key to victim, and the attacker can’t provide a decryption tool even if the ransom is paid.

New Messy Mac Ransomware
Updated Ransomware Includes RaaS
New Ransomware as a Service Starts Up
New Ransomware Tries to Grow Organically

The victims whose files ended up encrypted, and had no backup copies, lose everything.

That can now change because Malwarebytes researchers found a way to decrypt them.

Victims will have to have at their disposal another working computer, an unencrypted version of at least one of the encrypted files, a good text editor, will have to install Xcode command-line tools, and will have to download and compile pkcrack, a software implementation of a known-plaintext-attack on ZIP file encryption.

But even having an unencrypted version of an encrypted file is not strict requirement in some cases.

“If you can’t find such a file, you may be able to use the malicious Findzip app against itself. If you ran the app from somewhere in your user folder – like your Downloads folder – then the app will have (amusingly) encrypted itself. In this case, you can simply download a fresh copy of the app,” Thomas Reed, director of Mac offerings and lead Mac malware expert at Malwarebytes said in a blog post.

Recovering a large number of files in this manner will take a long time and will be tedious, as the encrypted files can’t end up decrypted in bulk, he said.

Leave a Reply

You must be logged in to post a comment.