A brand new ransomware is threatening users of MacOS. The spam campaign is called “Patcher,” and it uses BitTorrent distribution websites to infect computers.
The ESET security company first warns about the patchers which instead of the promised file, contain the new malware infection. When users try downloading patchers from torrent websites, there’s only one ZIP file which contains the application bundle.
ESET claims that the particular ransomware was noticed in files that were supposed to fix Adobe Premiere Pro and Microsoft Office for Mac, however, even more could be registered.
According to security researchers, the application is poorly coded and it indicates to one window that has a transparent background instead of the regular white backdrop. When the window is closed, it’s impossible to reopen it. If that is all you do, then there may still be hope for your files.
However, if you hit the “Start” button in the window, just say goodbye to your files because that’s the very moment when the encryption process starts.
A”README!.txt” file is copied all around the user’s directories, containing the ransomware instructions. After that, a random 25-character string is generated to use as the key to encrypt the files.
All files use one and the same key. The files are enumerated with the “find” command line tool, and the zip tool is used to store the file in an encrypted archive.
“Finally, the original file is deleted with rm and the encrypted file’s modified time is set to midnight, February 13th 2010 with the touch command. The reason for changing the file’s modified time is unclear. After the /Users directory is taken care of, it does the same thing to the mounted external and network storage found under /Volumes,” the ESET experts say.
Unfortunately, the fact that the new ransomware is poorly coded, makes it impossible for users to release their encrypted files. Looks like there is no code to communicate with any C&C server, meaning that the decryption keys can’t be sent to the malware operators. So, even if you pay the ransom, your files will not be released.
According to the ransomware instructions, the victims should send 0.25 BTC to a particular address, which means that unlocking your files might cost about $250. If you pay more, your files will be decrypted in record time, instead for the regular 24 hours.
Currently, the bitcoin address provided by the attackers shows zero transactions which means that luckily they have not found any victims yet.