This last month we have seen a new ransomware for Mac. Written in Swift, it is distributed on BitTorrent distribution site as “Patcher” for pirating popular software. Crypto-ransomware has been very popular lately amongst cybercriminals. While most of it targets the Windows desktop, we’ve also seen machines running Linux or macOS being compromised by ransomware in 2016 with, for example, affecting Linux and attacking OS X. Early last week, we have seen a new ransomware campaign for Mac. This new ransomware, written in, is distributed via BitTorrent distribution sites and calls itself “Patcher”, ostensibly an application for pirating popular software. Distribution Figure 1 – BitTorrent site distributing Torrent files containing OSX/Filecoder.E The Torrent contains a single ZIP file – an application bundle.

1. Ransomware On Mac
2. Best Free Ransomware Protection
3. Malwarebytes Ransomware Protection For Mac
4. Best Ransom Ware Protection For Mac

Malwarebytes today announced the release of Malwarebytes for Mac, featuring real-time protection to automatically block and remove cyberthreats, including malware, adware, and potentially unwanted programs. Malwarebytes Anti-Ransomware Beta, CryptoDrop Anti-Ransomware, and a few others also use behavior-based detection to take down any ransomware that gets past your regular antivirus. The Best Malware Removal and Protection Software of 2018. Or adware, or spyware, or any single malware type would be pointless. Ransomware, however, is another matter. Mac edition less. If you have the Premium version of Malwarebytes for Windows, Malwarebytes for Mac or Malwarebytes for Android, you can turn Real-Time Protection on or off. You may find it helpful to turn off protection if you are experiencing an issue using another application or file on your device.

We saw two different fake application “Patchers”: one for Adobe Premiere Pro and one for Microsoft Office for Mac. Mind you, our search was not exhaustive; there might be more out there.

Ransomware On Mac

Figure 2 – Icons of the “Patchers” as seen in Finder The application is generally poorly coded. The window has a transparent background, which can be quite distracting or confusing (see Figure3), and it’s impossible to reopen the window if it is closed. The application has the bundle identifier NULL.prova and is signed with a key that has not been signed by Apple. Internal requirements count = 0 size = 12 Figure 3 – The main window of the ransomware File encryption process Clicking the start button – shown in Figure 3 – launches the encryption process. It copies a file called README!txt all around the user’s directories such as “Documents” and “Photos”.

Best Free Ransomware Protection

Its content is shown later in the article. Then the ransomware generates a random 25-character string to use as the key to encrypt the files.

The same key is used for all the files, which are enumerated with the find command line tool; the zip tool is then used to store the file in an encrypted archive. Finally, the original file is deleted with rm and the encrypted file’s modified time is set to midnight, February 13 th 2010 with the touch command. The reason for changing the file’s modified time is unclear.

Malwarebytes Ransomware Protection For Mac

After the /Users directory is taken care of, it does the same thing to all mounted external and network storage found under /Volumes. Once all the files are encrypted there is code to try to null all free space on the root partition with diskutil, but the path to the tool in the malware is wrong.

Best Ransom Ware Protection For Mac

It tries to execute /usr/bin/diskutil, however the path to diskutil in macOS is /usr/ sbin/diskutil. Figure 4 – Encrypted document and README!txt as they appear in Finder The instructions left for the victims in the README!txt files are hardcoded inside the Filecoder, which means that the Bitcoin address and email address are always the same for every victim running the same sample. The message and contact details were the same in both samples we analyzed. NOT YOUR LANGUAGE?