First spotted in 2017 by antivirus firm ESET, FileCoder — also known as Filezip, FindZip, and Patcher — is a macOS ransomware program that targets Mac users through BitTorrent websites.
Wherever there are pirate software and digital files, you will find ransomware, malware, and spyware. These are various cyber threats, and you should always be careful when downloading something that is seemingly harmless, such as free apps and software.
In this case, FileCoder is disguised as a cracking tool for popular premium software, such as Adobe Premiere Pro CC and Microsoft Office for Mac.
What is the FileCoder virus?
Within the seemingly legitimate cracking code is a piece of ransomware that encrypts your files and then extorts Mac users for money. Written in the Apple language Swift, it is said to be the work of a novice Vxer and one who wasn't able to create a fake Apple Developer ID or ascertain a real one.
Because this ransomware doesn't come with an Apple ID — fake or otherwise — most Macs responded with suspicion when an attempted download started. Thankfully, this means that the macOS responded as it should when faced with a threat it didn't recognize, ensuring that the download proved difficult, which is why this ransomware went to such lengths to disguise itself as legitimate.
Typically, the infection looks like this:
If a download is successful, the ransomware generates a single encryption key for everything on your Mac. This means that every file and folder — everything you need — is encrypted and unavailable. As we saw with WannaCry and Petya, both later in 2017 than FileCoder, once files are encrypted, a 'ransom demand' is sent to a user. It mainly happens because the program has been able to collect Apple ID and other email address details, and so it can then send that back to the cybercriminals responsible for the hack.
Once those behind an attack have that information, they get in contact asking for money. In most cases, the creators ask for payment in Bitcoin. At the time, the person behind it was asking for 0.25 Bitcoin. If someone pays, then they should send back the encryption key to unlock the files. However, either a result of the creators' poor coding skills or a purely malicious act, even after payment, no FileCoder decrypt is sent.
For Mac users with a recent backup — one that hasn't been compromised by the ransomware — it should be possible to start using the machine again with a new account and the backup itself. If that isn't the case, then the malware instigators not having an encryption key means that you might need to manually go through the process of recovering your files. Even after doing this, there is still the challenge of removing ransomware from your Mac to avoid any future problems or this software acting as a dark web backdoor into your Mac.
How to remove FileCoder manually?
Before we talk about removing FileCoder, let's look at how to get your files back. Since paying the ransom is pointless, the only way to get these back — assuming no backup exists — is the manual approach.
To do this, you need a working second computer or another user profile on the Mac that has been encrypted with ransomware. It is recommended that only experienced Mac users or those with some coding skills attempt this. Otherwise, it might be worth talking to someone with relevant skills and experiences.
Malwarebytes recommends gathering the following tools to start the decryption:
- Xcode or TextWrangler
- Xcode command-line tools
- pkcrack source code
- One unencrypted file and the corresponding encrypted file (1000 bytes or more, but not a huge file).
Now, carefully follow the instructions in this Malwarebytes article to recover your files.
Assuming you've successfully done that, removing FileCoder isn't as much of a challenge. Unlike some types of malware and ransomware, it implies you won't be able to find it because your files are encrypted. Once that problem is removed, it will be sitting on your hard drive, and it can be deleted. Make sure to restart your Mac afterward and always perform regular backups to avoid losing files to a ransomware attack.
How to remove FileCoder automatically?
Removing the virus manually can be a headache. Luckily, there's an app that can do it for you with a click of a button — CleanMyMac X by MacPaw. To remove FileCoder and any other malware that may be lurking around your system, follow these steps:
- Download CleanMyMac X (a link to a free download).
- Open the app.
- Choose Malware Removal.
- Click Scan.
- Click Remove.
How to avoid ransomware
One way to avoid all of the stress associated with ransomware attacks is to have a system in place that scans for and removes new threats. Not all antivirus software can spot everything. The one software that has a strong track record in removing malware is CleanMyMac X we mentioned above. According to the developer, their virus database is updated daily and tackles viruses and ransomware that are specific to the macOS. The only thing you need to do is develop the habit of scanning the system regularly by completing the steps we outlined.
If you are too busy to run these scans — although they usually take a few minutes only — there is yet another tip for you. CleanMyMac X comes with a real-time malware monitor. It will scan your Mac in the background, check all of the new software you are installing, and notify you about any suspicious processes or potential threats. To switch on the monitor, do the following:
- Enable CleanMyMac X Menu first (CleanMyMac X > Settings > Menu > Enable Menu).
- Then, click on the iMac icon in the menu bar to open CleanMyMac X Menu and navigate to Settings (the gear icon).
- Choose the Protection tab and have all three boxes selected.
The FileCoder trojan was an unpleasant form of malware, especially since the creators didn't have the decency to send a decrypt key even after ransoms were paid. Preventing attacks isn't always possible, but providing you take care online, you should be able to avoid downloading something that encrypts your files. And should that happen, there are ways to remove it and decrypt your files without paying a cybercriminal.