osx.patcher (Back to overview)


aka: FileCoder, Findzip

This crypto-ransomware for macOS was caught spreading via BitTorrent distribution sites in February 2017, masquerading as 'Patcher', an application used for pirating popular software like Adobe Premiere Pro or Microsoft Office for Mac.

The downloaded torrent contained an application bundle in the form of a single zip file. After launching the fake application, the main window of the fake cracking tool was displayed.

The file encryption process was launched after the misguided victim clicked 'Start'. Once executed, the ransomware generated a random 25-character string and set it as the key for RC4 encryption of all of the user's files. It then demanded ransom in Bitcoin, as instructed in the 'README!' .txt file copied all over the user's directories.

Despite the instructions being quite thorough, Patcher lacked the functionality to communicate with any C&C server, and therefore made it impossible for its operators to decrypt affected files. The randomly generated encryption key was also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.

2017-02-22ESET ResearchMarc-Etienne M.Léveillé
@online{mlveill:20170222:new:effd5eb, author = {Marc-Etienne M.Léveillé}, title = {{New crypto‑ransomware hits macOS}}, date = {2017-02-22}, organization = {ESET Research}, url = {}, language = {English}, urldate = {2019-12-20} } New crypto‑ransomware hits macOS

There is no Yara-Signature yet.