Ransomware has become the scourge of the web in recent months. Hospitals thrust back into the non-digital age, their files locked up until they paid hefty ransoms in Bitcoin. Schools suffering the same fate. A variant called Locky spreading like wildfire, nearly a million infections in a week. Another, Jigsaw, surfaced this week using imagery from the Saw film franchise to scare the pants off victims. Those are on top of more than 50 other families of ransomware, the most troublesome in recent memory being CryptoWall, robbing organizations and individuals of their funds. Government is even up in arms, the FBI issuing alerts and Congressmen calling for action.
But if you own an Apple AAPL +0.21% Mac, there’s much less chance of your PC being infected with ransomware than if you’re a Microsoft MSFT -1.41% user. Only one fully-functional sample has ever been seen — KeRanger, which infected under 7,000 Apple machines. Not only are there only a handful of examples, two of which were developed as research projects rather than genuine cybercriminal tools, but one professional hacker has developed a tool he believes will successfully prevent any current forms of ransomware infecting Mac OS X. And he believes that as long as criminals aren’t able to hack his tool, future forms of ransomware should be killed before they even have a chance to make a mockery of Apple security.
Patrick Wardle, a former NSA staffer who now heads research at bug hunting outfit Synack, created the software, ‘RansomWhere?‘, after researching those few examples of Apple Mac ransomware and determining that anti-virus wasn’t up to snuff when it came to this insidious form of malware. He decided the best approach for detection was to write code that would detect untrusted processes that rapidly created encrypted files – the very modus operandi of ransomware. “The ransomware will likely encrypt a few files (ideally only two or three), before being detected and blocked,” Wardle wrote in a blog, shown to FORBES ahead of publication.
Wardle admits his tool isn’t perfect and could be circumvented by hackers who can detect RansomWhere? running on a Mac, removing its capabilities or finding a way to avoid detection. Files outside of a users’ home directory are not protected by the tool. Ransomware could, therefore, shift files outside that directory and lock them up. And, as RansomWhere? trusts all Apple-signed files as well as apps already installed on a Mac, it wouldn’t be able to help if the malware can abuse them.
“I’m hoping all the ransomware authors are high and overlook this [release],” said Wardle.
Despite those limitations, if you’re an Apple Mac user concerned about the rise of ransomware, it might be worth downloading rather than relying on anti-virus so save your hide. Version 1.0 of RansomWhere? is available from Wardle’s Objective-See site right now.
Microsoft Windows users have some help at hand too. In January, Malwarebytes announced a tool that also looks at the behaviour of suspected ransomware, stopping them from encrypting files. The software is in beta and can be downloaded here.
UPDATED Shortly after publication, Pedro Vilaca, a pro Apple Mac hacker who created the Gopher ransomware proof-of-concept, said he’d tweaked his malware to bypass RansomWhere? in a matter of minutes. Only 10 lines of code were needed, shifting the target files outside of the home directory and locking them up (a method outlined above).
Vilaca sent the below video showing how he moved and encrypted files, bypassing Wardle’s tool: