Discovered extortionist Patcher for Mac that encrypts files, but cannot decrypt them back
24.02.2017 Erika J. Wells 0 Comments
Experts of the research company ESET found the malware for Mac, which encrypts computer files and demands money for access to information. The problem is that even after the payment of “malware” called Patcher is not able to decrypt back the data on the computer.
Patcher, also known as a Filecoder and OSX/Filecoder.E, written in the Swift programming language and is distributed through torrents, disguised as crack for Microsoft Office for Mac or Adobe Premiere Pro. If a user downloads such a file, he discovers a ZIP archive containing a file with the word Patcher in the title.
If macovod will launch the app, appears a blank window with the only button Start. At this point it is too late to close the window, as the encryption process starts after pressing Start.
As noted by Xakep, uses arc4random_uniform Patcher and generate a random value length of 25 characters, which is used as the encryption key for all user files. The problem is that the coder does not transmit this key to the command and control server. In the code malware, there is nothing that could be used to communicate with the C&C server. So the operators of the Trojan are simply not possible to restore data affected. Worse, the key is long enough that it was almost impossible to pick up using too much.
Patcher leaves the README file!.txt containing the message with the ransom note, in all affected directories, and the file is encoded in code malware, that is specified in the message a bitcoin wallet is same for all users. The researchers report that at the moment money to the purse haven’t listed one.
According the researchers note that Patcher “definitely not a masterpiece” and downloading pirated software via dubious channels always significantly increases the risk of infection.