CyberCrimeSecurityVirus

Researchers Discover Ransomware Targeting Mac OS

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Even Apple users need to make sure they are backing up their files

Despite many people still thinking that Mac OS is safe from malware and viruses, Apple’s operating system is increasingly becoming a target for hackers and cyber criminals.

To illustrate this point, security researchers at Fortinet this week discovered a Ransomware-as-a-service (RaaS) that is specifically targeting Mac OS, using a web portal hosted in a TOR network to compromise devices.

After contacting the author via email and masquerading as hackers, the researchers were able to get access to a sample of the ransomware for analysis.

mac ransomware

 Mac-targeting

Upon opening the ransomware, the first thing it does is check that it is running on a Mac environment and that it is not being debugged. If these conditions are met, it creates a launch point which imitates a legitimate file to remain hidden on the device.

Once a specific ‘trigger time’ is met, which is previously agreed with the author, it starts encrypting targeted files up to a maximum of 128.

“As with other crypto-ransomware, the encryption algorithm is the core component that we spent most of our analysis time on,” the researchers write.

“Our goal was to find any RSA-crypto routine, however this piece of crypto-ransomware is not as sophisticated as other OSX crypto-ransomware that have been previously disclosed. It uses a symmetric encryption with a hardcoded key to hijack the victim’s files.”

There are two sets of symmetric keys used by the ransomware, a ‘ReadmeKey’ to decrypt a readme file that contains the ransom notes and instructions and a ‘TargetFileKey’ to encrypt and decrypt the victim’s files.

However, Fortinet notes that the encrypted files can no longer be decrypted once the malware has terminated. This is because the TargetFileKey doesn’t ever reside in the device’s memory and there is no function to communicate back to any C&C server, so there is no readily available copy of the decryption key.

“It is not every day that we see new ransomware specifically targeting Mac OS platform,” Fortinet concludes. “Even if it is far inferior from most current ransomware targeting Windows, it doesn’t fail to encrypt victim’s files or prevent access to important files, thereby causing real damage.

MacRansom is yet another example of the prevalence of the ransomware threat, regardless of the OS platform being run.”

Quiz:The world of cyber security in 2017