 |
 |
Security researcher releases new OS X ransomware detection tool
|
|
|
|
|
MacNN Staff
Join Date: Jul 2012
Status:
Offline
|
|
A new OS X security tool has been developed and released by Mac security researcher Patrick Wardle. The new " RansomWhere?" tool monitors a user's Mac file system for untrusted processes that attempt to encrypt any files. Once an unusual process is detected, the tool stops the process after the encryption of a small handful of files, and alerts the user. The user can then choose whether to allow the process, or terminate it.
Although there are many non-ransomware encryption processes that can run on a Mac, Wardle's "RansomWhere?" tool detects the rapid creation of encrypted files by untrusted processes. By using mathematical calculations, Wardle was able to have his tool generically determine the difference between files that are being compressed, and files that are being encrypted.
Just in March, the first piece of Mac ransonware was detected, but only after having been downloaded by 6,500 users of the Transmissioon BitTorrent client. The KeRanger ransomware package was said to have been installed after hackers gained access to the main server hosting the download. According to the developers, the compromised installer was substituted for the legitimate installer without their knowledge.
The malware package was coded to contact its command and control servers over the Tor network, sending the Mac model number and UUID. With this information, an encryption key could then allow the control server to start encrypting user files, which could then only be accessed after paying a ransom. Apple has since patched the potential KeRanger exploit on all Macs.
Wardle notes that this early effort can be thwarted by astute malware developers, and while MacNN testing has shown that the utility is effective, there are reports that there are already work-arounds. However, he will continue to update the package as threats develop counter-measures. "Both this research and tool are version 1.0, meaning likely room for improvement," Wardle said in the release notes.
(
Last edited by NewsPoster; Apr 26, 2016 at 12:09 PM.
)
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Mar 2009
Location: pacific northwest
Status:
Offline
|
|
Has anyone verified that this software isn't itself ransomware or a trojan of some kind? I know he can't give it away through the App Store because it violates Apple's rules since this software installs a LaunchDaemon and works at a level that's not allowed through the App Store but I also would like his software verified by an independent software researcher to make sure it isn't simply contributing to the problem. Do I not trust anyone? Well, sometimes I don't especially when we're talking about these types of things.
|
|
|
| |
|
|
|
|
|
|
|
Managing Editor
Join Date: Jul 2012
Status:
Offline
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Mar 2009
Location: pacific northwest
Status:
Offline
|
|
Mike, the link behind your link is missing the ":" after https.
|
|
|
| |
|
|
|
|
|
|
|
Managing Editor
Join Date: Jul 2012
Status:
Offline
|
|
I can see it both in the forums, and on the homepage.
So, that's an interesting bug. I'll talk to the web team about it.
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Dec 2012
Status:
Offline
|
|
Patrick also blogs in some detail about this, and other security related matters, at https://objective-see.com/blog.html
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top