Victims of Filecoder ransomware for macOS can now decrypt their files

Last week, researchers discovered and analyzed a new piece of ransomware targeting a specific subset of Mac users: those who are looking for ways to crack legal copies of some very pricy software.

macOS ransomware decrypt

Filecoder, aka Findzip, was found to be relatively effective at encrypting victims’ files, but unfortunately it doesn’t send the encryption key to the crook, and the crook can’t provide a decryption tool even if the ransom is paid.

It seemed that those unfortunate souls who fell for the trick, got their files encrypted and had no backup copies, were destined to say goodbye to them forever.

But, as it turns out, it isn’t so, as Malwarebytes researchers have come up with a way to decrypt them.

The process to get the information required for it to work is quite long, and requires a little technical know-how, but can be executed by anyone who knows how to follow instructions and isn’t afraid of making a mistake.

Victims will have to have at their disposal another working computer, an unencrypted version of at least one of the encrypted files, a good text editor, will have to install Xcode command-line tools, and will have to download and compile pkcrack, a software implementation of a known-plaintext-attack on ZIP file encryption.

But even having an unencrypted version of an encrypted file is not strictly required in some cases.

“If you can’t find such a file, you may be able to use the malicious Findzip app against itself. If you ran the app from somewhere in your user folder – like your Downloads folder – then the app will have (amusingly) encrypted itself. In this case, you can simply download a fresh copy of the app,” Thomas Reed, Director of Mac Offerings and lead Mac malware expert at Malwarebytes, noted.

He also pointed out that recovering a large number of files in this manner will take a long time and will be tedious, as the encrypted files can’t be decrypted in bulk. Still, those who are desperate to recover their documents will welcome this chance.

“We suspect that the number of people infected is low, but not zero,” Reed commented for Help Net Security.

“We are not aware of any specific victims, but they may be reluctant to come forward, given the activity they were engaged in when they would have gotten infected (i.e., software piracy). That also might make them reluctant to trust the hacker with payment, which would explain the current lack of payment transactions.”

Don't miss