New Mac Ransomware Leaves Your Files Permanently Encrypted

Malwarebytes discovered Fruitfly malware for Macs

Mac users hoping to score Adobe Premiere Pro CC and Microsoft Office for free through BitTorrent sites are in for an ugly surprise thanks to a new ransomware making the rounds. The ransomware, called OSX/Filecoder.E, encrypts the contents of victim’s hard drives and demands payment in Bitcoin, but there isn’t any way to actually decrypt and recover files.

Malwarebytes discovered Fruitfly malware for Macs
WeLiveSecurity warns of new Mac ransomware that permanently encrypts your files

OSX/Filecoder.E poses as a tool to crack the copy protection for Premiere Pro or Office. When run, it encrypts victim’s /Users directory in a ZIP archive and saves a Read Me file with instructions on where to send Bitcoin currency to decrypt the files. The malware targets all the files on connected drives, too, which means your local backups could be ruined.

As if locking someone out of their files and demanding money isn’t bad enough, the coders behind OSX/Filecoder.E didn’t include a way to send the randomly generated encryption key to their servers. That means once the malware encrypts your files there isn’t any way to recover them, even after paying the ransom. The hackers literally have no way to decrypt your files.

WeLiveSecurity’s Marc-Etienne M.Léveillé said,

There is one big problem with this ransomware: it doesn’t have any code to communicate with any C&C server. This means that there is no way the key that was used to encrypt the files can be sent to the malware operators.

This also means that there is no way for them to provide a way to decrypt a victim’s files. Paying the ransom in this case will not bring you back your files. That’s one of the reasons we advise that victims never pay the ransom when hit by ransomware.

WeLiveSecurity analyzed the malware and said it looks like the coder behind OSX/Filecoder.E isn’t very experienced because of their sloppy work. And leaving out a way to store the random encryption key from victim’s Macs seems like a big oversight—or a vindictive move.

Protecting your Mac from this ransomware is pretty easy: don’t use apps to crack app serial numbers and activation codes. Downloading commercial apps from unauthorized sources, like file sharing Bittorrent servers, is a great way to get stung, too. Regardless, OSX/Filecoder.E is a great reminder why stealing software is a bad idea.

5 thoughts on “New Mac Ransomware Leaves Your Files Permanently Encrypted

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.