Filecoder.E, also known as FindZip, targets macOS, is written in the Swift programming language, and it is distributed via BitTorrent through a file named “Patcher,” masquerading as a software pirating application. Once opened, the Torrent contains an application bundle for the victim to install. It displays a “Start” button and, after it is clicked, Filecoder.E generates a random 25-character string as a key to encrypt targeted files and then begins the encryption process. It drops a ransom note named README!.txt into the folders containing the encrypted files. It deletes the original files and changes the timestamp on the encrypted files to February 10, 2010. In addition to targeting files in the /Users directory, Filecoder.E searches for files to encrypt on all mounted external and network storage discovered under /Volumes. The instructions, Bitcoin address, and the hacker’s contact details are hardcoded within the ransomware which means that they are the same for all victims. It does not communicate with a C2 server so the encryption key is never sent to the hacker behind the campaign. This prevents the hacker from sending a decryption key so researchers advise not paying the ransom as file restoration is not possible.

  • ESET provides more information about Filecoder.E here.
  • Security researchers have developed a process that can help victims of Filecoder.E decrypt their files. The process is described in detail on the Malwarebytes website here.
  • Avast provides a free decryption tool for Filecoder.E/FindZip here.