New macOS Ransomware Patcher aka FileCoder

Since last year’s emergence of KeRanger, the first functional ransomware for macOS, it seemed only a matter of time before more threats of that type appeared. Security researchers recently found the newest attempt at ransomware for the Mac out in the wild. Masquerading as a “cracker” to bypass copy protection on software e.g. Microsoft Office for Mac or Adobe Premiere, the attackers have simply uploaded the disguised payload to several torrent sites. The researchers noted that though they only encountered two variants, more may still exist or be released.

The authors of this ransomware, dubbed Patcher (or FileCoder), do not seem especially strong in their programming skills; for example, there are many serious flaws in the malware’s code, such as the inability to reopen the Patcher window once closed. However, those who have pirated software in the past are no strangers to poorly produced cracking utilities. What happens if you run the program thinking it will unlock software for you?

Upon execution, the malware creates a string of 25 random characters which it uses as an encryption key to lock down all of your files. The program also attempts to attack unused space on the disk, but the authors did not include the correct code. After encryption completes, the only usable file that remains is a single text document containing instructions on how to pay a Bitcoin ransom in exchange for decryption; an express option for a higher price is even available.

So far, this all sounds like standard ransomware practice. However, whether by design or through negligence, there is a critical problem with Patcher: it contains no code for communicating outside of the user’s machine. It cannot “phone home” to a command and control server or make contact with the malware author. In other words, even if a user pays the ransom, nothing happens — their data remains locked behind an unbreakable wall forever.

The disruption such ransomware could cause to Mac users is severe. However, so far, it seems no one has taken the bait — both the Bitcoin wallet and email account associated with the ransomware remain dormant. Nonetheless, the risk posed by ransomware so poorly made that it effectively obliterates your files is substantial. Users should not only avoid downloading and running unknown and unsigned software from the web, but also look critically at all software they run and ensure they have proper anti-malware protection in place. After KeRanger and now Patcher/FileCoder, it’s safe to say the ransomware threat is on the rise.