New Messy Mac Ransomware

Friday, February 24, 2017 @ 04:02 PM gHale

New ransomware is going after MacOS users, researchers said.

“Patcher,” which is the new campaign’s moniker, uses BitTorrent distribution sites to get into computers.

Updated Ransomware Includes RaaS
New Ransomware as a Service Starts Up
New Ransomware Tries to Grow Organically
Exploit Kit Jumps on Old Applications

When people try to download the patchers from torrent sites, there’s only one ZIP file which contains the application bundle, said researchers from ESET.

Researchers found this ransomware in files meant to fix Adobe Premiere Pro and Microsoft Office for Mac, but more could be out in the wild.

The application is poorly coded, the researchers said where one window has a transparent background instead of the regular white backdrop. If the window closes, it’s impossible to reopen it, they said. If this is all you do, then there may still be hope for your files.

If you, however, tap the “Start” button in the window, say goodbye to your files because that’s when the encryption process starts. A file called “README!.txt” ends up copied all around the user’s directories, containing the ransomware instructions. Then, a random 25-character string ends up generated to use as the key to encrypt the files. All files make use of the same key. The files end up enumerated with the “find” command line tool, and then the zip tool stores the file in an encrypted archive.

One problem with this ransomware is it has poor coding and this makes it impossible for users to eventually get their data back because there seems to be no code to communicate with any C&C server, which means the decryption keys can’t end up sent to the malware operators. Paying the ransom will not do anything to get people’s files back.

The ransomware instructions ask victims to send 0.25 BTC to an address, which means unlocking your files might cost about $250 if you decide to pay the price.

Leave a Reply

You must be logged in to post a comment.