A new strain of ransomware was discovered and analyzed last week. According to researchers, the new piece is targeting one specific group of Mac OS users – those who are trying to crash legal copies of some very expensive software.
Dubbed Filecoder and also known as Findzip, the ransomware encrypts files but there is one problem. The encryption key isn’t sent back to the crooks, so they cannot provide it to victims even if the ransom sum is paid. As a result, the users who had their files locked by Filecoder and didn’t have a backup were forced to wave their data goodbye.
However, it turns out that the Malwarebytes researchers managed to come up with a way of decrypting Filecoder encrypted files after all. The process itself it quite long and requires some technical knowledge but anyone who knows how to strictly follow instructions can execute it.
The experts say that, for the process, the victims will need another working PC, an unencrypted version of at least one of the encrypted files and a text editor. Also, they will have to download and install Xcode command-line tools as well as to download and compile pkcrack, which is a software implementation of a known-plaintext-attack on ZIP file encryption. But in some cases, the unencrypted version of an already encrypted file is not necessary.
“If you can’t find such a file, you may be able to use the malicious Findzip app against itself. If you ran the app from somewhere in your user folder – like your Downloads folder – then the app will have (amusingly) encrypted itself. In this case, you can simply download a fresh copy of the app.” – noted Thomas Reed, Director of Mac Offerings and lead Mac malware expert at Malwarebytes.
Reed also added that retrieving a large number of locked file will be a very time-consuming and tiresome process as files can only be decrypted one at a time. However, this is still a chance for those victims who lost some very important data to get it back.
“We suspect that the number of people infected is low, but not zero” – Reed commented for Help Net Security – “We are not aware of any specific victims, but they may be reluctant to come forward, given the activity they were engaged in when they would have gotten infected (i.e., software piracy). That also might make them reluctant to trust the hacker with payment, which would explain the current lack of payment transactions.”
