FileCoder macOS Ransomware

Cybercriminals are constantly developing new ways to exploit unsuspecting users, and ransomware remains one of the most damaging threats. Among macOS users, the FileCoder ransomware, also known as Patcher or Findzip, is a notorious example. Once activated, it encrypts your personal files and demands payment for their release. Unfortunately, FileCoder's poor coding means that even paying won't restore your data, making strong prevention strategies essential.

What Is FileCoder Ransomware?

FileCoder is a file-encrypting ransomware targeting macOS systems. It often disguises itself as a patching tool for popular software such as Adobe Premiere Pro CC and Microsoft Office 2016. Researchers first observed it spreading through BitTorrent platforms, making users seeking pirated software its primary victims.

The malware primarily affects systems running OS X 10.11.x (El Capitan) and macOS 10.12.x, though older and newer versions can also be impacted. Its executable is not signed by Apple, which should serve as a red flag for cautious users.

How Does FileCoder Infect Devices?

The infection process starts when users download what appears to be a 'patcher' or 'cracker' for premium software from torrent sites. Once launched, the fake patcher displays a progress window with three steps, but this is merely a distraction. The encryption process begins immediately after the user clicks 'START.' By the time the interface displays step 2/3, the damage is already done.

FileCoder encrypts everything in the Users folder, leaving system and application files untouched. External drives and network volumes connected at the time of execution are also targeted. The malware generates a 25-character random encryption key locally and deletes original files using the rm command. It even attempts to wipe free space with diskutil, but fails due to an incorrect file path, an error that provides a slim chance for partial data recovery.

What Happens After Encryption?

Once encryption is complete, the user's desktop fills with ransom notes such as README.txt and DECRYPT!.txt. Victims are instructed to pay $280 in Bitcoin to unlock their files within 24 hours or $500 for faster decryption. However, this demand is deceptive because FileCoder has no capability to communicate with a command-and-control server or send a decryption key. In other words, paying the ransom will not restore access to your files.

Additionally, the ransomware changes the modification date of encrypted files to February 13, 2010 for unknown reasons. A system reboot presents a 'Sign in to iCloud' screen, as user preferences and settings are encrypted along with the data.

Weaknesses and Recovery Options

Despite its destructive potential, FileCoder contains several flaws:

• It encrypts files slowly, taking about 30 seconds for a 250 MB video file. Quick action can halt encryption.
• Quitting the application mid-process stops further file encryption.
• Incorrect diskutil path prevents complete secure wiping, offering a window for partial recovery using tools like Data Rescue.

Researchers have also developed a method to decrypt FileCoder-encrypted files. This process is tedious and requires technical knowledge, but it offers a last resort for victims.

To attempt file recovery, victims need several resources: a second working computer, an unencrypted copy of at least one of the encrypted files, a reliable text editor, the Xcode command-line tools, and pkcrack, a utility that performs a known-plaintext attack on ZIP file encryption.

However, having an original, unencrypted version of a file isn't always mandatory. If no such file is available, users might leverage the ransomware against itself. In cases where the FileCoder app was executed from within the user folder, such as the Downloads directory, the malware likely encrypted its own executable. Victims can download a fresh copy of the infected application to assist in the decryption process.

Researchers caution that this method is slow and labor-intensive, as bulk decryption is not possible. Nonetheless, for those determined to regain access to their data, this approach provides a viable last resort.

Proven Security Practices to Prevent Infection

Preventing ransomware infections like FileCoder is far easier than recovering from them. Follow these security measures to safeguard your system:

1. Safe Computing Habits

• Avoid downloading software or patches from torrent sites or other unverified sources.
• Always check application signatures and only install apps from trusted developers or the official Mac App Store.
• Stay informed about the latest threats and security advisories.

2. Strong System Protection

• Enable a reputable anti-malware solution and keep it updated.
• Regularly back up important files using Time Machine or a cloud-based backup service. Store backups offline or in a secure location not constantly connected to your system.
• Keep macOS and all installed software up to date with the latest security patches.

By combining these practices, you significantly reduce your exposure to ransomware threats and ensure that even in worst-case scenarios, your data remains safe and recoverable.