Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Security researcher releases new OS X ransomware detection tool

Security researcher releases new OS X ransomware detection tool
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Apr 26, 2016, 08:45 AM
 
A new OS X security tool has been developed and released by Mac security researcher Patrick Wardle. The new "RansomWhere?" tool monitors a user's Mac file system for untrusted processes that attempt to encrypt any files. Once an unusual process is detected, the tool stops the process after the encryption of a small handful of files, and alerts the user. The user can then choose whether to allow the process, or terminate it.


Although there are many non-ransomware encryption processes that can run on a Mac, Wardle's "RansomWhere?" tool detects the rapid creation of encrypted files by untrusted processes. By using mathematical calculations, Wardle was able to have his tool generically determine the difference between files that are being compressed, and files that are being encrypted.

Just in March, the first piece of Mac ransonware was detected, but only after having been downloaded by 6,500 users of the Transmissioon BitTorrent client. The KeRanger ransomware package was said to have been installed after hackers gained access to the main server hosting the download. According to the developers, the compromised installer was substituted for the legitimate installer without their knowledge.

The malware package was coded to contact its command and control servers over the Tor network, sending the Mac model number and UUID. With this information, an encryption key could then allow the control server to start encrypting user files, which could then only be accessed after paying a ransom. Apple has since patched the potential KeRanger exploit on all Macs.

Wardle notes that this early effort can be thwarted by astute malware developers, and while MacNN testing has shown that the utility is effective, there are reports that there are already work-arounds. However, he will continue to update the package as threats develop counter-measures. "Both this research and tool are version 1.0, meaning likely room for improvement," Wardle said in the release notes.

( Last edited by NewsPoster; Apr 26, 2016 at 12:09 PM. )
     
prl99
Senior User
Join Date: Mar 2009
Location: pacific northwest
Status: Offline
Reply With Quote
Apr 26, 2016, 10:34 AM
 
Has anyone verified that this software isn't itself ransomware or a trojan of some kind? I know he can't give it away through the App Store because it violates Apple's rules since this software installs a LaunchDaemon and works at a level that's not allowed through the App Store but I also would like his software verified by an independent software researcher to make sure it isn't simply contributing to the problem. Do I not trust anyone? Well, sometimes I don't especially when we're talking about these types of things.
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Apr 26, 2016, 10:49 AM
 
Wardle, the developer, runs this place:

https://www.synack.com/solution/people/
     
prl99
Senior User
Join Date: Mar 2009
Location: pacific northwest
Status: Offline
Reply With Quote
Apr 26, 2016, 01:18 PM
 
Mike, the link behind your link is missing the ":" after https.
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Apr 26, 2016, 02:47 PM
 
I can see it both in the forums, and on the homepage.

So, that's an interesting bug. I'll talk to the web team about it.
     
cache22nz
Fresh-Faced Recruit
Join Date: Dec 2012
Status: Offline
Reply With Quote
Apr 26, 2016, 05:01 PM
 
Patrick also blogs in some detail about this, and other security related matters, at https://objective-see.com/blog.html
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 09:45 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,