New macOS ransomware written in Apple’s Swift spotted in the wild

“A new file-encrypting ransomware program for macOS is being distributed through BitTorrent websites, and users who fall victim to it won’t be able to recover their files, even if they pay,” Lucian Constantin reports for IDG News Service.

“Crypto ransomware programs for macOS are rare. This is the second such threat found in the wild so far, and it’s a poorly designed one,” Constantin reports. “The program was named OSX/Filecoder.E by the malware researchers from antivirus vendor ESET who found it.”

“OSX/Filecoder.E masquerades as a cracking tool for commercial software like Adobe Premiere Pro CC and Microsoft Office for Mac and is being distributed as a BitTorrent download,” Constantin reports. “It is written in Apple’s Swift programming language by what appears to be an inexperienced developer, judging from the many mistakes made in its implementation.”

Read more in the full article here.

MacDailyNews Take: Yeesh. Don’t download software from torrent sites.


      1. No actually. The OSX.Ransom.FileCoder.E malware hackers are being surveilled by that anti-malware industry. So far, not one person has given the hackers ANY bitcoins. IOW: Their malware is so far a dud.

        It doesn’t help of course that their malware doesn’t actually provide any Earthly way to UNencrypt the data it steals, meaning that there’s no point in handing over bitcoin anyway.

  1. I think writing code like that in a modern language, will come back to haunt you.

    Swift signs the code, I would think, and therefor something that could be traced.

    Just my guess – because I don’t really know.

      1. If you want to participate in the process of executing code you are supposed to submit to this validation process. I don’t think this is a privacy issue. It’s a code of conduct and seal of approval. You can still be anonymous, but forgo the validation.

          1. So a virus or trojan – is an example free speech in the same way as a ransom note or a note the the bank teller who mysteriously begins to hand you cash. I see this needs to be hammered out a bit. Some things need to be protected while others is a crime and punishable. Swift is just the language, by which it’s written. Code signing is just a way to easily show to us illiterate people, we can trust the document presented to us.

  2. The usual suspects are already citing this as “proof” that MacOS is no more secure than Windows.

    This particular attack requires somebody to go onto BitTorrent and download software from an anonymous source with the specific intent to steal the intellectual property of commercial software companies by cracking their programs. The victim then needs to ignore any warnings from the OS that the program may be unsafe.

    It is extremely unlikely to hit anyone who relies on dependable sources for software. It cannot even _possibly_ affect the average user who only downloads from the Mac App Store and sets his security accordingly.

    Notably, most of the “experts” like ESET advising Mac users to install third-party anti-virus software are part of the anti-virus industry.

  3. Malware naming actually has an entirely specific protocol… that nobody uses.

    Meanwhile, anyone anywhere can name any malware whatever they like… and they do.


    OSX/Filecoder.E is actually, formally known as:

    The ‘E’ at the end means there are, according to someone, 5 variants of this malware and this is the fifth one.

    Problem: I collect references for all Mac malware, and there aren’t any references I can find for OSX.Ransom.FileCoder.C or D. Someone forgot to share.

    Problem: FileCoder isn’t the only name for this Trojan ransomware. Here are two other names:
    KeLogger (apparently .E)
    FindZip.A (Blame Apple, at least we think Apple is using FindZip.A to refer to FileCoder.E. No one yet knows for sure).

    Anyway, Apple just updated their anti-malware system, XProtect, to detect and stop OSX.Trojan.XAgent.A (which has three other spellings), OSX.Trojan.iKitten.A (which is also called and OSX.?.Proton.A. No one so far has published anything about Proton.A, leaving is to wonder what it is.

    So kill me, please.

    Oh and Apple has thus far forgotten to update their system for checking the version of Adobe Flash installed on Macs. They’re one version behind. That’s dangerous. Naughty Apple! – – IOW: Update Adobe Flash yourself NOW please.

    Am I dead yet?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.