A piece of ransomware targeting the Mac has been making the rounds on torrent sites. The ransomware disguises itself as an app installer for Little Snitch. The software itself isn’t especiall. Even Macs Need Antivirus Protection. PCs get viruses; Macs don’t. You saw it on TV, so you know. Cybersecurity researchers this week discovered a new type of ransomware targeting macOS users that spreads via pirated apps. According to several independent reports from K7 Lab malware researcher Dinesh Devadoss, Patrick Wardle, and Malwarebytes, the ransomware variant — dubbed 'EvilQuest' — is packaged along with legitimate apps, which upon installation, disguises itself as Apple's. To ensure that the victims see the ransom note, the ransomware displays a text-to-speech prompt, which reads the ransom note loudly to the victim via the macOS built-in “voice” capabilities. In addition to the ransomware capability, ThiefQuest may contain so-called a keylogger, due to the presence of calls to system routing CGEventTapCreate.
Despite not being a big problem for Mac users yet, Patrick Wardle, lead researcher at Synack, has created a nifty little app that can identify ransomware-like behavior by detecting the quick creation of encrypted files, stop the suspicious process, and then alert the user.
Called RansomWhere, this tool is very similar to what Sean Williams created almost a month ago with his CryptoStalker project, a generic ransomware detection system for Linux.
RansomWhere can stop apps that generate a lot of encrypted content
Just like CryptoWalker, RansomWhere works by watching the user's local filesystem for the creation of a large number of encrypted files. Mr. Wardle's app goes a step further by temporarily suspending the process that generates the massive amount of encrypted content, and prompting the user to verify and approve its actions.
![]()
RansomWhere may cause some false positives, but it's always better to be safe than sorry.
By default, RansomWhere scans unsigned Mac apps and binaries signed with an Apple developer ID. The only binaries RansomWhere ignores are those signed by official Apple certificates.
The downside is that if ransomware injects and hijacks the process of an Apple-signed binary, the tool won't be able to pick it up. Another downside is that RansomWhere takes a bit to detect ransomware infections, by which time some files might be already encrypted.
Ransomware for Macs not yet a (big) problem
At the start of March, KeRanger, the first fully functional Mac-targeting ransomware appeared on the scene after it infected users via tainted versions of the Transmission BitTorrent client for Mac.
Before this, a Brazilian coder also created a proof-of-concept ransomware variant called Mabouia, which was never released and eventually handed over to Apple's security staff.
Ransomware is not yet a danger to the Mac ecosystem, and more Linux users suffered from ransomware compared to Mac users. This statistics leans towards Linux users because of many ransomware variants that target Linux servers, such as Linux.Encoder, CTB-Locker, and KimcilWare.
For users who like their privacy, just be aware that RansomWhere will ask for your Mac password in order to continually monitor your workstation's processes.
RansomWhere alerting users of a potential ransomware encryption process
Ransomware has gotten a lot of attention in the news recently with businesses and hospitals paying thousands of dollars in Bitcoins to recover their systems. While OS X has generally been immune from virus and malware attacks, it was just recently that the KeRanger ransomware was found in the Transmission Bit Torrent application installer. Now there’s protection for your Mac with RansomWhere?.
What is Ransomware?
For those not familiar with it, ransomware is a type of program that infects your system and secretly encrypts all of the files on your hard drive. When you boot up your computer, you are presented with a message requiring you to pay an amount, usually in Bitcoins, (the ransom) to get your data unlocked. Refuse to pay within a stated time limit and your hard drive will be erased.
Ransomware Protection For Mac
While many Mac users have Time Machine on an attached external hard drive, a ransomware process can not only encrypt your internal hard drive but also your Time Machine files leaving you no way to recover your system.
Windows xp professional 64 bit product key generator. The good news (if you can all it that) is that upon payment, the hackers do provide the key needed to unlock your system. They do that to keep the revenue stream flowing since people would stop paying the ransom if they didn’t get their data back.
By some estimates, hundreds or even thousands of new ransomware files are being released every day which makes it difficult for conventional anti-virus programs to update their virus signature files quick enough to catch the ransomware before it’s too late to save your data. Best video chat app for mac and pc users.
RansomWhere? To Protect Your Mac
Patrick Wardle, a former NSA staffer who now leads research at bug hunting outfit Synack, has developed the RansomWhere? tool, which aims at detecting and blocking generic ransomware on Mac OS X by regularly monitoring the user’s local filesystem for the creation of encrypted files by any process.
This free tool attempts to generically prevent ransomware from taking hold of your data, by detecting untrusted processes that are encrypting your personal files. Once such a process is detected, RansomWhere? will stop the process and present an alert to the user.
If this suspected ransomware, is indeed malicious, the user can terminate the process. On the other hand, if it’s simply a false positive, the user can allow the process to continue executing.
Installation of RansomWhere? is straightforward. You can download the application zip file here. Once you expand the file, double click on the application icon to begin the installation process and you will get a window with the option to Install the application or Cancel it.
In order to continually monitor the file-system for encrypted files, RansomWhere? requires system privileges and will requests a password (via a standard authorization prompt) during installation.
That’s all there is to it. You won’t see anything different about your system. There are no icons in the menu bar and nothing in the Application folder (although we put the program icon in our Application folder for future reference). You pretty much have to take it on faith that RansomWhere? Is sitting quietly in the background doing its thing. That said, every time the application starts, it reads the file ransomwhere.json, which contains the latest version number of RansomWhere? and checks to see if a later version is available. Other than these version checks, no information is collected or transmitted and, RansomWhere? has no other networking code, nor makes any other network connections.
Should you ever decide you no longer want RansomWhere? on your system, you can simply rerun the original application file (which is why we put it in our Application folder) and this time will be presented with an Uninstall option.
RansomWhere? Phone emulator for mac. is not perfect, nor does it claim to be as the following are known issues:
That said, we are not aware of any other application that is designed to protect against ransomware on a generic basis, without the need to continuously update signature files. Also keep in mind that this is a 1.0 release so further improvements may be coming.
The Bottom Line
When it comes to anti-virus software on a Mac, people have two very different opinions. There is the group that believes OS X is super safe and doesn’t need anti-virus software. They will often share stories about anti-virus software that caused more problems than it helped. Then there are those that say, you can’t be too careful and always have anti-virus software running on their Macs and update the virus signature files religiously.
Regardless of which position you support, we believe Ransomware presents a completely different level of concern that needs attention, beyond the more common anti-virus software.
We installed the RansomWhere? application a few days ago and haven’t seen any negative impact to our system and intend to continue to let it run to provide the extra level of protection it is intended to provide.
What is your opinion on anti-virus software? Do you use it and if so, which one do you use? What are your thoughts on ransomware? Do you plan to install the RansomWhere? application? Why not join the conversation and leave a comment below with your thoughts.
If you liked this article, please consider sharing it with your friends and leaving a comment below.
Also, don’t forget to “Like” us on Facebook and “Follow Us” on Twitter.
Ransomware Mac Os XAPPLE TECH TALKERShare this post.Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |