February 24, 2017

New Filecoder macOS Ransomware is Poorly Coded, Destructive

A newly discovered ransomware targeting macOS destroys encryption keys before sending them to its apparently inexperienced developer, ESET researchers have discovered.

Dubbed Filecoder (OSX/Filecoder.E) and written in Apple's Swift programming language, the threat is only the second ransomware family known to have ever hit macOS. The first fully functional such threat emerged in March last year as KeRnger, and was soon found to be a variant of the Linux ransomware known as Linux.Encoder.

Although file-encrypting ransomware targeting macOS is so rare, it can be really damaging, and OSX/Filecoder.E proves that fully. The malware is distributed via BitTorrent distribution sites masquerading as an application for pirating popular software such as Adobe Premiere Pro and Microsoft Office for Mac, ESET’s Marc-Etienne M.Léveillé explains.

The application, which has the bundle identifier NULL.prova, hasn’t been signed with a certificate issued by Apple, making its installation more difficult on newer operating system versions, where default security settings would prevent it from running. What’s more, the malicious app’s window has a transparent background that makes it confusing, and can’t be opened once closed.

Once the user runs the malicious program, it first copies a README!.txt file in user’s folders, then starts encrypting the files it finds on the machine. For that, it enumerates user’s files with the find command line tool, then uses a randomly generated 25-character string to encrypt all of the discovered files by placing each of them in an encrypted archive.

The malware also deletes the original files with rm, and modifies the encrypted files’ time to midnight, February 13th 2010, using the touch command. After encrypting files in the /Users directory, the malware starts searching for mounted external and network storage under /Volumes and repeats the process for files on them as well.

As soon as the process has been completed, the ransomware is supposed to null all free space on the root partition with diskutil, but the operation fails because the developer didn’t use the correct path to the tool in the malware’s code, M.Léveillé notes. While Filecoder.E tries to execute /usr/bin/diskutil, the actual path to the tool in macOS is /usr/sbin/diskutil.

The dropped README!.txt file functions as a ransom note, providing victims with instructions on how to pay to recover their files. Apparently, the malware uses the same Bitcoin address and email address for every victim running the same sample. However, the security researchers noticed that no payment was made until now, and say that no one tried to contact the malware developer via the provided email address (a public inbox that can be accessed without registering or authentication).

The main issue with the ransomware, researchers say, is that it doesn’t attempt to connect to a command and control server to transmit the encryption key before destroying it, meaning that the malware author can’t decrypt users’ files even after receiving payment. Furthermore, the key is generated using a secure algorithm and is too long to be brute forced.

“This also means that there is no way for them to provide a way to decrypt a victim’s files. Paying the ransom in this case will not bring you back your files. That’s one of the reasons we advise that victims never pay the ransom when hit by ransomware. Alas, the random ZIP password is generated with arc4random_uniform which is considered a secure random number generator. The key is also too long to brute force in a reasonable amount of time,” M.Léveillé explains.

Although not a masterpiece, the new macOS-targeting crypto-ransomware is effective enough to prevent the victims from accessing their files, and researchers say it could cause serious damage. The malware also proves that users downloading pirated software are exposed to greater risks, especially when using dubious channels for acquiring software. Users are advised to download software only from official websites, to keep their software up to date at all times, and to install and maintain a security application on their machines.

