{
	"id": "da822acd-1011-48fe-82e9-3d56931c79ea",
	"created_at": "2026-04-06T00:16:38.742334Z",
	"updated_at": "2026-04-10T03:20:50.592272Z",
	"deleted_at": null,
	"sha1_hash": "85f5eba13f3a7c4d0cea8ef9b6e8b4f66108e406",
	"title": "New crypto-ransomware hits macOS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2566820,
	"plain_text": "New crypto-ransomware hits macOS\r\nBy Marc-Etienne M.Léveillé\r\nArchived: 2026-04-05 19:03:03 UTC\r\nRansomware\r\nThis last month we have seen a new ransomware for Mac. Written in Swift, it is distributed on BitTorrent\r\ndistribution site as “Patcher” for pirating popular software.\r\n22 Feb 2017  •  , 5 min. read\r\nCrypto-ransomware has been very popular lately amongst cybercriminals. While most of it targets the Windows\r\ndesktop, we’ve also seen machines running Linux or macOS being compromised by ransomware in 2016 with, for\r\nexample, KillDisk affecting Linux and KeRanger attacking OS X.\r\nEarly last week, we have seen a new ransomware campaign for Mac. This new ransomware, written in Swift, is\r\ndistributed via BitTorrent distribution sites and calls itself “Patcher”, ostensibly an application for pirating popular\r\nsoftware.\r\nDistribution\r\nhttp://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/\r\nPage 1 of 7\n\nFigure 1 - BitTorrent site distributing Torrent files containing OSX/Filecoder.E\r\nThe Torrent contains a single ZIP file – an application bundle. We saw two different fake application “Patchers”:\r\none for Adobe Premiere Pro and one for Microsoft Office for Mac. Mind you, our search was not exhaustive; there\r\nmight be more out there.\r\nhttp://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/\r\nPage 2 of 7\n\nFigure 2 - Icons of the \"Patchers\" as seen in Finder\r\nThe application is generally poorly coded. The window has a transparent background, which can be quite\r\ndistracting or confusing (see Figure3), and it’s impossible to reopen the window if it is closed.\r\nThe application has the bundle identifier NULL.prova and is signed with a key that has not been signed by Apple.\r\n$ codesign -dv \"Office 2016 Patcher.app\"\r\nExecutable=Office 2016 Patcher.app/Contents/MacOS/Office 2016 Patcher\r\nIdentifier=NULL.prova\r\nFormat=app bundle with Mach-O thin (x86_64)\r\nCodeDirectory v=20100 size=507 flags=0x2(adhoc) hashes=11+3 location=embedded\r\nSignature=adhoc\r\nInfo.plist entries=22\r\nTeamIdentifier=not set\r\nSealed Resources version=2 rules=12 files=14\r\nInternal requirements count=0 size=12\r\nhttp://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/\r\nPage 3 of 7\n\nFigure 3 - The main window of the ransomware\r\nFile encryption process\r\nClicking the start button – shown in Figure 3 – launches the encryption process. It copies a file called\r\nREADME!.txt all around the user’s directories such as “Documents” and “Photos”. Its content is shown later in\r\nthe article.\r\nThen the ransomware generates a random 25-character string to use as the key to encrypt the files. The same key\r\nis used for all the files, which are enumerated with the find command line tool; the zip tool is then used to store\r\nthe file in an encrypted archive.\r\nFinally, the original file is deleted with rm and the encrypted file's modified time is set to midnight, February 13th\r\n2010 with the touch command. The reason for changing the file's modified time is unclear. After the /Users\r\ndirectory is taken care of, it does the same thing to all mounted external and network storage found under\r\n/Volumes.\r\nOnce all the files are encrypted there is code to try to null all free space on the root partition with diskutil, but the\r\npath to the tool in the malware is wrong. It tries to execute /usr/bin/diskutil, however the path to diskutil in macOS\r\nhttp://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/\r\nPage 4 of 7\n\nis /usr/sbin/diskutil.\r\nFigure 4 - Encrypted document and README!.txt as they appear in Finder\r\nThe instructions left for the victims in the README!.txt files are hardcoded inside the Filecoder, which means\r\nthat the Bitcoin address and email address are always the same for every victim running the same sample. The\r\nmessage and contact details were the same in both samples we analyzed.\r\nNOT YOUR LANGUAGE? USE https://translate.google.com\r\nWhat happened to your files ?\r\nAll of your files were protected by a strong encryption method.\r\nWhat do I do ?\r\nSo , there are two ways you can choose: wait for a miracle or start obtaining BITCOIN NOW! , and restore YOUR DA\r\nIf You have really valuable DATA, you better NOT WASTE YOUR TIME, because there is NO other way to get your file\r\nFOLLOW THESE STEPS:\r\n1) learn how to buy bitcoin https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)\r\n2)send 0.25 BTC to 1EZrvz1kL7SqfemkH3P1VMtomYZbfhznkb\r\n3)send your btc address and your ip (you can get your ip here https://www.whatismyip.com) via mail to rihofoj@ma\r\n4)leave your computer on and connected to the internet for the next 24 hours after payment, your files will be u\r\nhttp://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/\r\nPage 5 of 7\n\nKEEP IN MIND THAT YOUR DECRYPTION KEY WILL NOT BE STORED ON MY SERVER FOR MORE THAN 1 WEEK SINCE YOUR FILE GET C\r\nSo far, there is no transaction related to the Bitcoin wallet. Which mean the authors have not made a dime from\r\nthis ransomware. Hopefully this post will raise awareness and keep the wallet’s balance at zero.\r\nNo decryption possible, even from the author\r\nThere is one big problem with this ransomware: it doesn’t have any code to communicate with any C\u0026C server.\r\nThis means that there is no way the key that was used to encrypt the files can be sent to the malware operators.\r\nThis also means that there is no way for them to provide a way to decrypt a victim’s files. Paying the ransom in\r\nthis case will not bring you back your files. That’s one of the reasons we advise that victims never pay the ransom\r\nwhen hit by ransomware.\r\nAlas, the random ZIP password is generated with arc4random_uniform which is considered a secure random\r\nnumber generator. The key is also too long to brute force in a reasonable amount of time.\r\nPublic inbox\r\nInterestingly, the email address is an address provided by Mailinator. Mailinator provides a free inbox to anyone\r\nwithout requiring them to register or authenticate. This means it is possible to see the inbox used to communicate\r\nwith the malware author. We’ve been monitoring this inbox for the last week and didn’t see any messages.\r\nHowever, it’s possible the messages get deleted really fast and we simply missed them.\r\nConclusion\r\nThis new crypto-ransomware, designed specifically for macOS, is surely not a masterpiece. Unfortunately, it’s still\r\neffective enough to prevent the victims accessing their own files and could cause serious damage.\r\nThere is an increased risk when downloading pirated software that someone is using a dubious channel for\r\nacquiring software in order to make you execute malware. ESET recommends that you have a security product\r\ninstalled but the most important precaution in case you encounter crypto-ransomware is to have a current, offline,\r\nbackup of all your important data.\r\nESET products detect this threat as OSX/Filecoder.E.\r\nSamples\r\nSHA-1 Filename Type\r\nESET detection\r\nname\r\n1b7380d283ceebcabb683464ba0bb6dd73d6e886\r\nOffice 2016\r\nPatcher.zip\r\nZIP of\r\nApp\r\nbundle\r\nOSX/Filecoder.E\r\nhttp://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/\r\nPage 6 of 7\n\nSHA-1 Filename Type\r\nESET detection\r\nname\r\na91a529f89b1ab8792c345f823e101b55d656a08\r\nAdobe Premiere Pro\r\nCC 2017 Patcher.zip\r\nZIP of\r\nApp\r\nbundle\r\nOSX/Filecoder.E\r\ne55fe159e6e3a8459e9363401fcc864335fee321 Office 2016 Patcher Mach-O OSX/Filecoder.E\r\n3820b23c1057f8c3522c47737f25183a3c15e4db\r\nAdobe Premiere Pro\r\nCC 2017 Patcher\r\nMach-O OSX/Filecoder.E\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/\r\nhttp://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/"
	],
	"report_names": [
		"new-crypto-ransomware-hits-macos"
	],
	"threat_actors": [],
	"ts_created_at": 1775434598,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/85f5eba13f3a7c4d0cea8ef9b6e8b4f66108e406.pdf",
		"text": "https://archive.orkl.eu/85f5eba13f3a7c4d0cea8ef9b6e8b4f66108e406.txt",
		"img": "https://archive.orkl.eu/85f5eba13f3a7c4d0cea8ef9b6e8b4f66108e406.jpg"
	}
}