Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New “Filecoder” macOS Ransomware Surfaces

New Filecoder macOS Ransomware is Poorly Coded, Destructive

New Filecoder macOS Ransomware is Poorly Coded, Destructive

A newly discovered ransomware targeting macOS destroys encryption keys before sending them to its apparently inexperienced developer, ESET researchers have discovered.

Dubbed Filecoder (OSX/Filecoder.E) and written in Apple’s Swift programming language, the threat is only the second ransomware family known to have ever hit macOS. The first fully functional such threat emerged in March last year as KeRanger, and was soon found to be a variant of the Linux ransomware known as Linux.Encoder.

Although file-encrypting ransomware targeting macOS is so rare, it can be really damaging, and OSX/Filecoder.E proves that fully. The malware is distributed via BitTorrent distribution sites masquerading as an application for pirating popular software such as Adobe Premiere Pro and Microsoft Office for Mac, ESET’s Marc-Etienne M.Léveillé explains.

The application, which has the bundle identifier NULL.prova, hasn’t been signed with a certificate issued by Apple, making its installation more difficult on newer operating system versions, where default security settings would prevent it from running. What’s more, the malicious app’s window has a transparent background that makes it confusing, and can’t be opened once closed.

Once the user runs the malicious program, it first copies a README!.txt file in user’s folders, then starts encrypting the files it finds on the machine. For that, it enumerates user’s files with the find command line tool, then uses a randomly generated 25-character string to encrypt all of the discovered files by placing each of them in an encrypted archive.

The malware also deletes the original files with rm, and modifies the encrypted files’ time to midnight, February 13th 2010, using the touch command. After encrypting files in the /Users directory, the malware starts searching for mounted external and network storage under /Volumes and repeats the process for files on them as well.

As soon as the process has been completed, the ransomware is supposed to null all free space on the root partition with diskutil, but the operation fails because the developer didn’t use the correct path to the tool in the malware’s code, M.Léveillé notes. While Filecoder.E tries to execute /usr/bin/diskutil, the actual path to the tool in macOS is /usr/sbin/diskutil.

The dropped README!.txt file functions as a ransom note, providing victims with instructions on how to pay to recover their files. Apparently, the malware uses the same Bitcoin address and email address for every victim running the same sample. However, the security researchers noticed that no payment was made until now, and say that no one tried to contact the malware developer via the provided email address (a public inbox that can be accessed without registering or authentication).

The main issue with the ransomware, researchers say, is that it doesn’t attempt to connect to a command and control server to transmit the encryption key before destroying it, meaning that the malware author can’t decrypt users’ files even after receiving payment. Furthermore, the key is generated using a secure algorithm and is too long to be brute forced.

“This also means that there is no way for them to provide a way to decrypt a victim’s files. Paying the ransom in this case will not bring you back your files. That’s one of the reasons we advise that victims never pay the ransom when hit by ransomware. Alas, the random ZIP password is generated with arc4random_uniform which is considered a secure random number generator. The key is also too long to brute force in a reasonable amount of time,” M.Léveillé explains.

Although not a masterpiece, the new macOS-targeting crypto-ransomware is effective enough to prevent the victims from accessing their files, and researchers say it could cause serious damage. The malware also proves that users downloading pirated software are exposed to greater risks, especially when using dubious channels for acquiring software. Users are advised to download software only from official websites, to keep their software up to date at all times, and to install and maintain a security application on their machines.

Related: Destructive KillDisk Malware Turns Into Ransomware

Related: New Tool Aims to Generically Detect Mac OS X Ransomware

Related: New OS X Ransomware Delivered via BitTorrent Client

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.