Tips & Advice

Mac FindZip ransomware decryption tool unzips your encrypted files

Jakub Kroustek, 13 March 2017

Avast introduces a new decryption tool that will help Mac users infected with the FindZip ransomware decrypt their files.

Late February 2017, a new type of ransomware for Mac was discovered. This ransomware, called FindZip, infects users by pretending to be a cracked version of commercial applications, such as Adobe Premiere Pro. Once it infects a Mac, it utilizes a ZIP encryption to encrypt documents - the exact same scheme used by the Windows ransomware, Bart, which we decrypted last summer.

MalwareBytes already published a technical analysis of FindZip, as well as a description of the decryption process. However, because the instructions described by MalwareBytes may be complicated for some, we created a more user friendly decryption application.

The FindZip decryption tool is available on our free ransomware decryption tools page, along with all of our ransomware decryption tools.
Mac FileZip ransomware

Running the ransomware decryptor on Windows

If you decide to copy your encrypted files from your Mac to a Windows system, using our decryptor should be straightforward, and you won’t need to install any other software.
Avast Decryption Tool for FindZip

Running the ransomware decryptor on Mac

As the ransomware decryptors released by Avast are Windows applications, Mac users (and Linux users) need to install an emulation layer for the Windows application. The decryptor was tested with CrossOver and Wine, other emulation programs might work as well though.

This guide describes how to run the decryptor tool using Wine for Mac. The decryptor tool was tested on MacOS 10.10 (Yosemite) and 10.12 (Sierra).

Installing XQuartz

You first need to install a windowing system for your Mac. Go to https://www.xquartz.org (or Google  “XQuartz for Mac”) and download the DMG installation file.

install XQuartz

If the downloaded file doesn’t open automatically, open it from your Downloads folder.

how to install XQuatz for Mac

Double-click on the “Quartz.pkg” icon and the installer should open.

Install Quartz.pkg

Keep clicking “Continue” or “Install”. You may be prompted to agree to the license and enter your password to install a new application. The installation process can take a few minutes. During the installation, you may be prompted to log out and log back in to complete the process:

installing XQuartz Mac

Note: if you skipped installing XQuartz and went straight to installing Wine, it will probably complain that you need to install XQuartz first :)

Installing Wine

Go to https://wiki.winehq.org/MacOS (or Google for “Wine for Mac”, not just “wine” ;-) ) and follow the link to download the PKG packages. Download the “Installer for Wine Staging”:

Installing WineHQ

After downloading, you can find it in your Downloads folder:

WineHQ staging DMG

Run the installer by double-clicking on the icon:

Install Wine Mac

Click “Continue” and select “Install for all users on this computer”. Then keep clicking “Continue” and “Install”. You may be prompted to enter your password, as you are installing a new application. When the installation is complete, click “Close”.

You may now download the Avast decryptor and run it seamlessly.

Important note: If you already had Wine installed prior to being infected with the  ransomware, the entire Wine configuration is probably encrypted. In that case, you need to delete the folder \Users\<YourUserName>\.wine before running the decryptor application.

Running the decryption application

To run the decryptor, download it from our Avast free decryptor tools page and double-click on the application icon:

Avast FindZip decryptor

It will take some time for the first-run configuration.

  • If you are prompted to install “Mono”, click “Cancel”
  • If you are prompted to install Gecko, press “Install” and let the installer download and install it.

When the initial configuration is complete, the decryptor will run and show the “Welcome” screen:

installing FindZip decryptor tool

On the next window (after clicking “Next”), you can select one or more locations, where the decrypted files are. By default, this contains the name of the current user’s home folder:

Avast decryption tool for FindZip

The default setting is usually fine. Press “Next”. Then, you need to enter a pair of original/encrypted files. You can either drag and drop from the Mac folders, or can browse for the file by clicking the “…” button.

Cracking FindZip password

Once both files are entered, click “Next”.

Crack for FileZip password

On this screen, the password cracking process is done. Click “Start“ and wait until the decryptor finds the password. It usually takes about a minute to crack the password for files encrypted by FindZip.

FindZip decrypt

When the password cracking process is done, press “Next“.

On the final screen, you can opt-out from creating backup copies during the decryption process. It is not recommended to do so, however.

backup Mac files

After clicking “Decrypt”, the application will decrypt all the files in the folder that were entered in the “Select location(s) to decrypt” screen.

ransomware files back

When the decryption is done, just press “Close” - and that’s it! Your files will be decrypted!

Special thanks

We would like to thank Peter Conrad, the author of PkCrack, who granted us permission to use his library in our decryptors. Furthermore, a special thanks also goes to my colleague, Ladislav Zezula, for preparing this decryptor.

IOCs

c68814901d0af5de410c152e62a06a51c16ec7fe118f1e5251bbcdbb27364709

d19b903adbd0f8c119d0d8f25b194bdd24b737357a517f23ca5cdc6c75b35038

 

Check 1 comments or write your comment

Discussion (1)