Merisa is a ransomware project for MacOS by Shellbear.
Notice: This project was made for educational purposes only, so don't use it on computer you don't own ! I don't hold any responsibility for the bad use of this tool, remember that attacking targets without prior consent is illegal and punished by law.
Here some explanations of Merisa process:
1) Generate a random 2048 bits public and private keys to encrypt files.
2) Send Mail to owner or post to website (support tor) the private key and usefull informations about the computer.
3) Find all files on the system including external drives, iCloud files
and encrypt them using 128-bit AES alogrythm which is unbreakable.
4) Then create an application on Desktop with instructions and decryption tool.
Merisa can bypass these tools:
BlockBlock continually monitors common persistence locations
and displays an alert whenever a persistent component is added to the OS.
By continually monitoring the file-system for the creation of encrypted files by suspicious processes,
RansomWhere? aims to protect your personal files, generically stopping ransomware in its tracks.
How should this script be executed ?
When you launch the Merisa script. It creates a MacOS application which has no GUI but simply execute the script (This app is not signed, which means that Gatekeeper will prevent your App from being executed by default). So you need to force User to disable this option.
For this just ask this person to: Right click on the App and select "Open".
Or to disable Gatekeeper for the App: System Preferences > Security and confidentiality > General.
And select "Open Anyway".
All my files have been encrypted, can I recover them without the key ?
This script has been made to be sure that you can't recover your files without the key. Anyway there is some last options you can do to recover your files. You can use kind of recover files tools such as Disk Drill.
During the process Merisa encrypt files and delete the previous version of these files which mean that
there is a minimal chance to recover them with these tools.
However this Method is unlikely to succeed because during the process Merisa will erase all free space
with single-pass zero-fill to prevent files from being recovered.
