A common misconception amongst Apple users is that unlike Windows users, they are not vulnerable to malware attacks. But while it’s true that they are not targeted as often, this is more a function of the Mac OS market share than its security: over 90% of personal computers run Windows, while only about 6% run Mac OS. This makes the Mac market much less attractive to the people creating malware.
But that doesn’t mean there aren’t people going after these users, and you should never assume that your system is immune to attack. Thanks to the new ransomware-as-a-service, MacRansom, some Apple users are learning this the hard way.
The Origin of MacRansom
We learned of this threat from a blog post by security researchers Rommel Joven and Wayne Chin Yick Low, who were able to obtain a copy of the malware – possibly the first case of RaaS targeting Mac – and study it for themselves.
The people behind MacRansom claim to be former security researchers at Yahoo and Facebook, claiming that their software engineering experience means that this RaaS will be high quality.
The creators claim that the reason they created this tool in the first place was that there was a lack of other attacks against the Mac platform. They also claim that the victims are more lucrative targets: “Mac users are willing to pay at least $1,000 for their computer files. As much as $26,500 was once collected from a small business owner.”
How it Works
The first thing MacRansom does is check to make sure that it is on a Mac environment and that it’s not being debugged (which would reveal the program’s intentions). If these conditions are not met, then the program terminates without doing anything.
Once these conditions are met, MacRansom creates a launch point, which allows the program to run at every start up and ensures that it will begin the encryption process at a specified “trigger time”.
As soon as this ticking time bomb reaches the trigger time, MacRansom will begin to lock down the host machine’s files, up to a maximum of 128. This is far fewer than most ransomware variants, though Joven and Low did not speculate as to why. They did say that MacRansom is “far inferior from most current ransomware targeting Windows,” so perhaps this was one of its shortcomings.
Once the host files are encrypted, MacRansom then presents a demand for 0.25 Bitcoin, which is currently valued at about $700.
One interesting and unpleasant detail about this ransomware variant is the fact that its TargetFileKey – which is used to encrypt and decrypt files – is randomly generated, and then lost when the malware terminates. There is no copy made, no record that is stored.
It is still technically possible at this point to decrypt the files with more difficult methods, but this strange feature makes Joven and Low skeptical that the malware author could decrypt the files after receiving payment. If your computer is infected, it will be very difficult to recover your files.
Staying Safe From MacRansom
When presented MacRansom, the victim will see a prompt stating that the program is from an unidentified developer. Clicking “Open” will give permission for the ransomware to run, so as long as you do not open files from unknown developers, you should be safe.
It is also worth mentioning that Joven and Low indicated that “this MacRansom variant is potentially being brewed by copycats as we saw quite a lot of similar code and ideas taken from previous OSX ransomware.” As a result, there will probably be others that come out in the following months, so we will re-emphasize the researchers’ advice:
“There are no perfect mitigations against ransomware. However, the impact can be minimized by doing regular backups of important files and being cautious when opening files from unidentified sources or developers.”
To learn more about the most common forms of ransomware today, the industries most targeted by ransomware and the critical solutions necessary to ensure your business's safety in the face of this growing threat, download the Datto Ransomware Report today.