findzip

[Content by Gemini 2.5]

Detailed Resource: FindZip ransomware (macOS-specific)

TECHNICAL BREAK-DOWN

1. File extension & renaming pattern

  • Confirmation of file extension: Every encrypted file is appended with “.findzip” (lower-case, no spaces).
    Example: Budget_2024.xlsxBudget_2024.xlsx.findzip

  • Renaming convention: The malware uses a single, atomic rename() call in Objective-C, so the original extension is preserved and simply concatenated with “.findzip.” No e-mail addresses, random IDs, or timestamps are inserted.

2. Detection & outbreak timeline

  • First reported: 23 Feb 2017 by Malwarebytes researcher Thomas Reed.
  • Peak activity: Feb–Apr 2017 (BitTorrent & “mac-tracker.dmg” ware-zoo sites).
  • Occasional resurfacing: Isolated distribution waves throughout 2018–2020; almost dormant since 2021, yet still used in opportunistic “cracked-software” packs.

3. Primary attack vectors

  • Social-engineering lure: Masquerades as a productivity or “P2P client” DMG (e.g., “VideoCoderforMac.dmg,” “Office2016_activator.dmg”).
  • Installation flow:
  1. Mount DMG ➜ run fake “installer.pkg.”
  2. Elevates to admin (asks user password).
  3. Writes 3 components into /Users/Shared/ and a LaunchAgent (.plist).
  • Persistence: LaunchAgent re-launches “findzip” binary at login.
  • No network propagation: Purely victim-initiated download; no worm code, RDP, or SMB exploitation.

REMEDIATION & RECOVERY

1. Prevention

  • Reject “free/cracked” Mac software; obtain titles only from Apple App Store or certified developer signed with Apple ID.
  • macOS ≥ 10.15 has Notarization & Gatekeeper hardening—enable “App Store & identified developers” under System Settings ▸ Privacy & Security.
  • Activate FileVault 2 (full-disk encryption) to make unauthorised persistence harder (doesn’t stop encryption but limits tampering with backups).
  • Maintain at least two backups: one local Time Machine (encrypted, APFS), one offline/off-site or immutable cloud (“object-lock”).
  • Install reputable macOS AV/EDR with real-time signatures (many engines detect FindZip as OSX.Findzip.A, Ransom_FINDZIP, or Trojan.MAC.Ransom.F).

2. Removal

  1. Boot macOS into Safe Mode (hold Shift during startup on Intel; hold power ➜ Safe Mode on Apple-Silicon) to prevent LaunchAgent respawn.
  2. Delete malware files: 
   rm -rf /Users/Shared/findzip
   rm -rf /Users/Shared/agent.app
   rm ~/Library/LaunchAgents/com.coderunner.findzip.plist
   sudo rm -f /var/root/.kernel_pid  (stores PID and kill-switch flag)
  1. Empty Trash & clear user cache.
  2. Run a full AV scan to catch any successor loaders.
  3. Reboot normally, verify LaunchAgent is gone.

3. File decryption & recovery

  • Feasibility: 100 % decryptable. FindZip uses RC4 with a 2048-bit RSA public key embedded in the binary; the matching private key is also shipped inside the app bundle—that private key is identical across every sample ever found.
  • Free decrypter:
    – Malwarebytes “FindZip Decryptor” (GUI & CLI versions, code signed, 2020-update).
    – Objective-C open-source PoC: github/0xd3ad/FindZip-unlocker.
  • Decryption steps:
  1. After removal of malware, copy the file “.keyfile” from /Users/Shared/ onto a safe location (it contains the AES-wrapped RC4 session key).
  2. Run the decryptor with admin privileges; point it at the folder that contains your “.findzip” files.
  3. Tool searches “.keyfile,” RSA-unpacks RC4 key, re-streams every file in place (creates a “.bak” copy).
  4. Once finished, verify file headers, then delete “.findzip” remnants and “.bak” copies.
  • Important: Decryption fails only if the “.keyfile” was deleted by the attacker or overwritten; in that case use Time-Machine or another backup to restore the “.keyfile,” or recover it with photorec/autopsy (it’s only 256 B).

4. Other critical information

  • Unique characteristics:
    – One of the first in-the-wild macOS-only ransomware families (pre-dates ThiefQuest/EvilQuest).
    – “Polite” ransom note (“READMETORESTORE_FILES.txt”) asks 0.25 BTC to address 1F1tAaz5x… but payment is pointless—files decryptable for free.
    – Hard-coded RSA private key means even the criminal cannot decrypt if the “.keyfile” is lost—an irony that undermined their business model.

  • Broader impact:
    – Demonstrated that macOS malware could encrypt ~3 000 files/min on SSDs, prompting Apple to tighten notarisation and XProtect signatures.
    – Served as template for later cross-platform chores (Linux.Encoder, KeRanger).
    – Still referenced in security awareness training to debunk the myth that “Macs don’t get ransomware.”

Bottom line: FindZip looks scary, but with the embedded private key it is technically harmless once removed—simply clean the infection, fetch the free decryptor, and escalate your backup hygiene. Stay safe, stay patched, and remember: “free cracked stuff” is never free.