MacOS under Ransomware attack
Category : Blog
MacOS under Ransomware attack
MacOS under Ransomware attack. Crypto-ransomware is more popular nowadays and is more common amongst cybercriminals. Mostly it affects windows systems but also affected Linux or macOS in 2016 like KillDisk affecting Linux and KeRanger attacking OS X.
We have seen a new Ransomware campaign for Mac, last week. This new ransomware, written in Swift, is distributed via Bit Torrent sites, calls itself “Patcher”.
Torrent contains one zip file- application bundle where we two different fake application “Patchers” are present – one for Adobe Premiere Pro and one for Microsoft Office for Mac.
The application is poorly coded and it’s impossible to reopen the window if it is closed.
The application has the bundle identifier NULL.prova and is signed with a key that has not been signed by Apple.
$ codesign -dv “Office 2016 Patcher.app”
Executable=Office 2016 Patcher.app/Contents/MacOS/Office 2016 Patcher
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=507 flags=0x2(adhoc) hashes=11+3 location=embedded
Sealed Resources version=2 rules=12 files=14
Internal requirements count=0 size=12
The a window will open where you need to click the start button and the encryption process will start. It will copy a file called README.txt. Its content is shown later in the article.
The ransomware will generate a random 25-character string to use as the key to encrypt the files. The same key is used for all the files, which are enumerated with the find command line tool; the zip tool is then used to store the file in an encrypted archive.
Finally, the original file is deleted with rm and the encrypted file’s modified time is set to midnight, February 13th 2010 with the touch command. The reason for changing the file’s modified time is unclear. After the /Users directory is taken care of, it does the same thing to all mounted external and network storage found under /Volumes.
Once all the files are encrypted there is code to try to null all free space on the root partition with diskutil, but the path to the tool in the malware is wrong. It tries to execute /usr/bin/diskutil, however the path to diskutil in macOS is /usr/sbin/diskutil.
The instructions left for the victims in the README!.txt files are hardcoded inside the Filecoder, which means that the Bitcoin address and email address are always the same for every victim
NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ?All of your files were protected by a strong encryption method. What do I do ? So , there are two ways you can choose: wait for a miracle or start obtaining BITCOIN NOW! , and restore YOUR DATA the easy wayIf You have really valuable DATA, you better NOT WASTE YOUR TIME, because there is NO other way to get your files, except make a PAYMENT FOLLOW THESE STEPS:1) learn how to buy bitcoin https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)2)send 0.25 BTC to 1EZrvz1kL7SqfemkH3P1VMtomYZbfhznkb3)send your btc address and your ip (you can get your ip here https://www.whatismyip.com) via mail to firstname.lastname@example.org)leave your computer on and connected to the internet for the next 24 hours after payment, your files will be unlocked. (If you can not wait 24 hours make a payment of 0.45 BTC your files will be unlocked in max 10 minutes) KEEP IN MIND THAT YOUR DECRYPTION KEY WILL NOT BE STORED ON MY SERVER FOR MORE THAN 1 WEEK SINCE YOUR FILE GET CRYPTED,THEN THERE WON’T BE ANY METHOD TO RECOVER YOUR FILES, DON’T WASTE YOUR TIME!
There is one big problem with MacOS under Ransomware attack. It Does not have any code to communicate. This new crypto-ransomware, designed specifically for macOS. Unfortunately, it’s still effective enough to prevent the victims accessing their own files and could cause serious damage.
Most Popular Training Courses at Indian Cyber Security Solutions