The ransomware was discovered by security vendor Eset on BitTorrent peer-to-peer distribution sites. It is written using Apple's Swift language and hides in files pretending to be cracked (unlocked) versions of popular software, such as Adobe Premiere Pro and Microsoft Office for Mac.
The Torrent contains a single ZIP file – an application bundle. It also has a transparent background that makes it difficult to spot and cannot be reopened if the window is closed.
Once executed, the malware encrypts both files in the /User directory and any files in the /Volumes (encrypting files on all mounted external and network storage).
Patcher then copies a file called README!.txt all around the user's directories such as “Documents” and “Photos”. Within these files are instructions asking the victim for a payment of 0.25 Bitcoin.
But, the ransomware is so poorly coded that there is no way for it to communicate with any C&C server. This means that there is no way the key that was used to encrypt the files can be sent to the malware operators.
“Paying the ransom in this case will not bring you back your files. That's one of the reasons we advise that victims never pay the ransom when hit by ransomware,” said Marc-Etienne M.Léveillé, malware researcher at Eset in a blog post.
“This new crypto-ransomware, designed specifically for macOS, is surely not a masterpiece. Unfortunately, it's still effective enough to prevent the victims accessing their own files and could cause serious damage.”
The firm recommended that users avoid pirate software and have a current, offline, backup of all your important data.
Adrian Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that it is plausible that this is either a work-in-progress or simply a proof-of-concept into implementing ransomware-like capabilities.
“Whether it's a scrapped ransomware project or an ongoing one, Mac ransomware is real and prove that with the right coding anyone can become a victim,” he said.
“If this is part of an early project build, it could be that C&C communication capabilities will be added along the way. While it's not the first time we've seen ransomware that doesn't need a C&C connection, it's reasonable to speculate that either the coder didn't get to implement all features or he's testing other capabilities,” he added.
Arnaud Abbati, senior researcher at SentinelOne, told SC that there was no transaction to the Bitcoin account, “so it seems it wasn't necessary to deploy a complete ransomware infrastructure anyway”.
“If this ransomware is not some sort of a red team research, then this is another proof we should not pay ransoms. Instead, we should protect what has the most value in our machines (data) and backup (incremental, both local and remote).”
“People should not blindly trust the internet. While this particular case does not end well for the user (in a real world scenario), most unadvised illegal downloaders also ends with lots of adware. If the user had run the unknown patch in a virtual machine, he would notice that this doesn't work,” he added.