Good news for macOS users who were infected by the FindZip ransomware, now a decryption tool was released online for free.
The FindZip macOS ransomware was spotted last month by researchers at ESET, it is tracked as OSX/Filecoder.E.
The ransomware, written in Swift, was distributed via BitTorrent distribution sites and calls itself “Patcher”, ostensibly an application for pirating popular software.
The first release was not complete, the victims were not able to recover their files, even if they pay the ransom.
For this reason, security experts were inviting victims of the ransomware to avoid paying the ransom.
Due to coding errors, the malicious code was destroying the encryption key before sending them to the command and control server.
FindZip was born after an update to Apple’s XProtect signatures started calling it FindZip soon after. The new threat masquerades itself as cracks for Adobe Premier Pro and Microsoft Office, and also feature signed certificates.
The number of ransomware developed to target macOS user is low, FindZip is the second strain of malware designed with this purpose.
The excellent news is that victims of the FindZip macOS ransomware now have the opportunity to recover their files for free thanks to the experts at the security firms Malwarebytes and Avast.
A couple of weeks ago, experts from Malwarebytes Labs researchers published the instructions to restore data encrypted by the FindZip macOS ransomware.
The procedure uses the following elements:
The process also requires a second account on the infected.
The process has been automated later by experts from Avast who developed the FindZip decryption tool. Victims can decrypt their files on either a Mac or a Windows machine by using the tool.
“MalwareByte already published a technical analysis of FindZip, as well as a description of the decryption process. However, because the instructions described by MalwareBytes may be complicated for some, we created a more user friendly decryption application.” reads a blog post published by AVAST.
“The FindZip decryption tool is available on our free ransomware decryption tools page, along with all of our ransomware decryption tools.”
The tool was successfully tested on macOS 10.10 (Yosemite) and macOS 10.12 (Sierra).
Victims that decide to copy the encrypted files from their infected Mac to a Windows system, using the Avast decryptor should be straightforward and they don’t need to install any other software.
The researchers explained that on Mac or Linux, the users need an emulation layer for Windows and the tool works with CrossOver and Wine. The researchers at Avast confirms that other emulation programs might work as well.
Victims have to install a windowing system for Mac, such as XQuartz, which allows the execution of Wine for Mac.
“Important note: If you already had Wine installed prior to being infected with the ransomware, the entire Wine configuration is probably encrypted. In that case, you need to delete the folder \Users\<YourUserName>\.wine before running the decryptor application.” continues the post.
Enjoy the tool!
(Security Affairs – FindZip macOS ransomware, malware)