A new strain of ransomware for macOS has recently been discovered, which disguises itself as a crack for popular software.
Dubbed 'Patcher,' the malware is distributed via torrent and warez websites. It endorses itself as a license patcher for Adobe Premiere Pro, as well as Microsoft Office for Mac, among others.
According to cybersecurity firm ESET, the ransomware is very poorly coded. Once the files in question are executed, a window with no background will pop up. If the user decides to close it and try to launch the program for a second time, it will ultimately refuse to open.
While it is stated in the program that clicking "Start" will patch the respective software, it will do no such thing. Hitting the button will start Patcher's encryption process, which will generate a 25-character encryption key which will be used to lock the victim's files.
Patcher will append a .crypt extension to all files affected, so a file like "image.jpg" will be renamed to "image.jpg.crypt." Once the encryption process is done, it will drop a README file, which demands the user to pay 0.25 bitcoin, which is equal to roughly $283. Lastly, for some reason, the malware also changes the last modified date of all encrypted files to February 13, 2010.
Despite its demands, ESET found that Patcher does not upload the encryption key to a specific Command & Control (C&C) server, meaning the ransomware creator has no way of decrypting the infected files, even if a payment is made. It is also impossible to make a brute force attack due to the length of the encryption key.
Interestingly, it was discovered that the ransomware creator uses an email system called Mailinator, which does not require its users to authenticate or register an account. This makes it possible to see the inbox used to communicate with the author in public.
Whether we're on Windows, macOS, or even Linux, it is important to have a regular backup of our files. This is to be able to protect ourselves from ransomware attacks, as there isn't always an assurance of decrypting infected files. Also, it is best to be careful of what we download, especially if they are too good to be true.
Source: ESET via Bleeping Computer
26 Comments - Add comment