FileCoder virus on a Mac: How to remove it completely

First spotted in 2017 by antivirus firm, ESET, FileCoder - also known as Filezip, FindZip and Patcher - is a macOS ransomware program that targets Mac users through BitTorrent websites.

Wherever there is pirate software and digital files, you will find ransomware, malware and spyware. These are various cyber threats, and you should always be careful when downloading something that is seemingly harmless, such as free apps and software.

In this case, FileCoder is disguised as a cracking tool for popular premium software such as Adobe Premiere Pro CC and Microsoft Office for Mac.

Filecoder locky trojan

What is the FileCoder virus?

Within the seemingly legitimate cracking code is a piece of ransomware that encrypts your files and then extorts Mac users for money. Written in the Apple language Swift, it is said to be the work of a novice Vxer, and one who wasn't able to create a fake Apple Developer ID, or ascertain a real one.

Because this ransomware doesn't come with an Apple ID - fake or otherwise - most Macs responded with suspicion when an attempted download started. Thankfully, this means that the macOS responded as it should when faced with a threat it didn't recognise, ensuring that the download proved difficult, which is why this ransomware went to such lengths to disguise itself as legitimate.

Typically, the infection looks like this:

Filecoder malware infection
Image Source: WeLiveSecurity

If a download is successful, the ransomware generates a single encryption key for everything on your Mac. This means that every file and folder, everything you need, is encrypted and unavailable. As we saw with WannaCry and Petya, both later in 2017 than FileCoder, once files are encrypted a ‘ransom demand’ is sent to a user, usually because the program has been able to collect Apple ID and other email address details, and then send that back to the cybercriminals responsible.

Once those behind an attack have that information, they get in contact asking for money. In most cases, the creators ask for payment in Bitcoin. At the time, the person behind it was asking for 0.25 Bitcoin. If someone pays, then they should send back the encryption key to unlock the files. However, either a result of the creators poor coding skills or a purely malicious act, even after payment, no FileCoder decrypt is sent.

For Mac users with a recent backup - one that hasn't been compromised by the ransomware - it should be possible with a backup and a new username on the Mac you have to start again. If that isn’t the case, then the malware instigators not having an encryption key means that you might need to manually go through the process of recovering your files. Even after doing this, there is still the challenge of removing the ransomware from your Mac to avoid any future problems or this software acting as a dark web backdoor into your Mac.

filecoder decrypt malware on mac

How to remove FileCoder manually?

Before we talk about removing FileCoder, let’s look at how to get your files back. Since paying the ransom is pointless, the only way to get these back - assuming no backup exists - is the manual approach.

To do this, you need a working second computer or another user profile on the Mac that has been encrypted with the ransomware. It is recommended that only experienced Mac users, or those with some coding skills attempt this. Otherwise it might be worth talking to someone with the relevant skills and experiences.

MalwareBytes recommends gathering the following tools to start the decryption:

  1. Xcode or TextWrangler
  2. Xcode command-line tools
  3. pkcrack source code
  4. One unencrypted file and the corresponding encrypted file (1000 bytes or more, but not a huge file).

Now carefully follow the instructions in this MalwareBytes article to recover your files.

Assuming you’ve successfully done that, removing FileCoder isn’t as much of a challenge. Unlike some types of malware and ransomware, it assumes you won’t be able to find it because your files are encrypted. Once that problem is removed, it will be sitting in your hard drive and it can be deleted. Make sure to restart your Mac afterwards and always perform regular backups to avoid losing files to a ransomware attack.

Ransomware filecoder

How to avoid ransomware

One way to avoid all of the stress associated with ransomware attacks is to have a system in place that scans for and removes new threats. Not all antivirus software can spot everything. The one software that has a strong track record in removing malware is CleanMyMac X by MacPaw Inc. According to the developer, their virus database is updated daily and tackles viruses and ransomware that is specific to the macOS.

With CleanMyMac X, you can scan and remove ransomware quickly and safely:

  1. Download CleanMyMac X (a link to a free version of the app)
  2. Launch the app.
  3. Choose Malware Removal.
  4. Click Scan.
  5. Click Remove.

The FileCoder trojan was an unpleasant form of malware, especially since the creators didn't have the decency to have a decrypt key even after ransoms were paid. Preventing attacks isn’t alway possible, but providing you take care online you should be able to avoid downloading something that encrypts your files. And should that happen, there are ways to remove it and decrypt your files without paying a cybercriminal.


These might also interest you:

CleanMyMac X
CleanMyMac X

Your Mac. As good as new.