![os x macos anti ransomware 2017 free os x macos anti ransomware 2017 free](https://www.macworld.co.uk/cmsdata/features/3659100/how_to_remove_mac_ransomware_filecoder_497.jpg)
(Of course those parameters can be easily change in the code to encrypt other files)Looking for files to encrypt: It will encrypt all DOCX files in the Document folder on the user’s home directory. Usually an attacker will wait until a victim pays the ransom in order to extract the decryption key and send it to the victim so he will be able the decrypt his files.
![os x macos anti ransomware 2017 free os x macos anti ransomware 2017 free](https://cdn.clamxav.com/ClamXAVdownloads/wp-content/uploads/2017/03/FreeTrial3.jpg)
The public master key will be used to encrypt the session private key that will be sent to the attacker. a master private/public key generated by attacker and a session private/public key that will be generated on an infected machine. Gopher is a POC ransomware for macOS published on Github and based on “libsodium” crypto library.It was written by a researcher and the idea behind Gopher, as the author wrote in the file, was to show how simple it is to write this kind of threat using a couple of C code lines and external crypto library.The malware uses two asymmetric encryption keys. We can see in the picture above how the malware executes the zip command with the -P command (password protected) to generate new files with a “.crypt” extension and right after that the original file will be deleted.The malware will leave a ransom note asking for 0.25 BTC, even though the malware does not communicate with a C&C, meanig the randomly generated password will not be sent to the attacker, hence it won’t be possible for a victim to decrypt its files back, even if he will pay the ransom.Below we can see the result of FileCoder ransomware after it encrypts the victim’s files, leaving the ransom notes which ask for 0.25 BTC in order to decrypt files:
#OS X MACOS ANTI RANSOMWARE 2017 FREE PRO#
Even though a first version was found in 2014, which was an unfinished piece of malware that encrypted only its own files (and also that with specific system requirement), a first working version was found in the wild by ESET on 2017.The malware was distributed via BitTorrent, and to disguise its malicious intention, it pretends to be a patcher of applications such as Adobe Premiere Pro or Microsoft office for Mac.It will only infect macOS versions 10.11 (El Capitan) and above, older versions were not infected.Upon execution, the malware generates 25 random character strings, which will be the key that will be used for encryption.The malware uses ZIP command line in order to encrypt files using the 25 chars string it generated.