New Mac OS X Ransomware Spreads Through Pirate Sites

A new Mac OS X ransomware virus has been spotted by security researchers which is currently spreading among pirate download sites and BitTorrent trackers.

New Mac OS X Ransomware Revealed

Bad news for Mac OS X users, it appears that another malware has been spotted. It’s another ransomware threat which has already undergone an initial security analysis. The criminal developers behind it spread the virus as a counterfeit update or crack for the Adobe Premiere Pro and Microsoft Office applications. The bundled installers are not signed by the relevant vendors and as such the files won’t open by default as they usually do. A proper way to deal with such applications is to “quarantine” them. This interaction with it only possible after the user has explicitly allowed this with a prompt notification. Most torrent clients however do not set up the necessary file flag modification.

Upon execution the malware displays a strange almost transparent window which reads “Press START to crack/patch Office 2016”.When the victim clicks on it the encryption process is started. All files in the home folders are processed and the ransomware displays a message indicating that the relevant program (Adobe Premiere Pro or Microsoft Office) is being patched. After the process several ransomware notes are crafted: README, HOW_TO_DECRYPT and DECRYPT. All of them contain the following message:

NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption method.
What do I do ?
So , there are two ways you can choose: wait for a miracle or start obtaining BITCOIN NOW! , and restore YOUR DATA the easy way
If You have really valuable DATA, you better NOT WASTE YOUR TIME, because there is NO other way to get your files, except make a PAYMENT
FOLLOW THESE STEPS:
1) learn how to buy bitcoin https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)
2)send 0.25 BTC to 1EZrvz1kL7SqfemkH3P1VMtomYZbfhznkb
3)send your btc address and your ip (you can get your ip here https://www.whatismyip.com) via mail to [email protected]
4)leave your computer on and connected to the internet for the next 24 hours after payment, your files will be unlocked. (If you can not wait 24 hours make a payment of 0.45 BTC your files will be unlocked in max 10 minutes)
KEEP IN MIND THAT YOUR DECRYPTION KEY WILL NOT BE STORED ON MY SERVER FOR MORE THAN 1 WEEK SINCE YOUR FILE GET CRYPTED,THEN THERE WON’T BE ANY METHOD TO RECOVER YOUR FILES, DON’T WASTE YOUR TIME!

 

As usual the criminal extort a ransomware payment to restore access to the compromised files. The requested sum is 0.25 Bitcoins which at the current currency conversion rate is about 300 US Dollars. The affected files are renamed using the .crypt extension and are created using the zip command. However the ransomware does not actually upload the private decryption key to a remote C&C server. This makes it impossible to restore the files even if the sum is paid. At this moment it is not certain if the virus is able to connect to Time Machine Backups connected to the host computers or any network shares.

The new Mac OS X ransomware is a clear sign that computer victims should never follow the hacker’s instructions and always use a quality anti-malware solution.

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *