Users affected by Filecode ransomware can now decrypt their files for free by employing a procedure developed by security researchers.
On 22 February, the security community first learned about Filecode. It’s a form of ransomware that specifically targets Mac users. Filecode introduces itself to a potential victim by masquerading as pirate software including patchers for Adobe Premier Pro and Microsoft Office for Mac. When users run those programs, the ransomware encrypts their files and ultimately displays a ransom note demanding 0.25 Bitcoin (approximately 300 USD) in exchange for the decryption key.
There’s just one problem: Filecode lacks code that allows it to communicate with its command and control (C&C) server. This means the ransomware can’t retrieve the key it used to encrypt a user’s files and send it over to the victim if they pay the ransom. As with many ransomware infections, paying the ransom in this case therefore nets a user a lighter wallet and nothing more.
But there’s hope for Filecode victims yet!
Thomas Reed, director of Mac offerings at Malwarebytes, has developed a procedure with the help of Jérôme Segura and @TheWack0lian that lets users decrypt their files for free. To use the method, victims need five things:
- A working computer.
- A good text editor like Xcode or TextWrangler.
- The command line tools for Xcode.
- The source code for pkcrack, a zip password recovery tool.
- An encrypted file and its non-encrypted counterpart. (Users can hopefully obtain the latter from an external device or an email attachment. If not, they can in some cases use the Filecode’s Info.plist file if the ransomware ran in Downloads and as a result encrypted itself.)
The procedure, which is described in full here, requires that a user compile pkcrack. This process first necessitates using the text editor and Xcode’s command line tools to modify a number of pkcrack’s files so that it will compile on macOS. Once the tool successfully compiles, it will yield a series of binaries that the victim can use to extract both the encrypted and non-encrypted files before running pkcrack on the pair.
Here’s an example of what this process looks like.
Reed explains what happens next in a blog post:
“At this point, pkcrack is trying to find the passcode for the encrypted file, but that will not succeed due to the length of the passcode used by the malware. You can force it to cancel and quit by pressing control-C.
“Fortunately, you don’t need the passcode… the three keys it found can be used to decrypt all the other decrypted files. Make a note of those three keys, labeled key0, key1, and key2.”
Users can employ the zipdecrypt binary to decrypt a file using the three keys as well as the encrypted file and its non-encrypted counterpart. They can then employ this same command with other encrypted files. It’ll take a bit of time, but as Reed notes, it does give users time to think about implementing a robust data backup strategy and ransomware prevention strategies in the future.