Generic Ransomware Detection Comes to OS X

Researcher Patrick Wardle has developed a utility called RansomWhere? that he released today that he says does generic ransomware detection on OS X.

With each new unrelenting ransomware sample, security researchers understand that no matter how quickly antivirus signatures are updated or how rapidly decryptors are built and shared, current defenses will continue to fall short.

The problem is that most adequate defenses are sample-specific; Kaspersky Lab has built ransomware decryptors for CoinVault and Bitcryptor, and Cisco has a similar tool to unlock some TeslaCrypt infections, just to name two.

Generic defense mechanisms are few and far between. Easy Sync Solutions’ CryptoMonitor, which was acquired in January by Malwarebytes, for example, detects and blocks numerous samples on the Windows side before they’re able to execute and begin encrypting files.

On the OS X side there are admittedly few ransomware attacks, and even fewer generic detection mechanisms.

Researcher Patrick Wardle, director of researcher at Synack and a known OS X hacker, today released his own generic OS X ransomware detector called RansomWhere? The utility monitors home directories on OS X machines for untrusted processes that are encrypting files. The user is presented with an alert while RansomWhere? blocks the process and waits for the user to decide whether to allow or terminate the process.

“I saw that existing approaches aren’t working,” Wardle said “Antivirus has its shortcomings. KeRanger was signed with a legitimate Apple developer ID certificate that passed it off as a legitimate application. Gatekeeper is not going to block that. You’ve got to think outside the box and take an approach that is not specimen specific.”

KeRanger surfaced last month and was quickly labeled the first functional OS X ransomware sample by researchers at Palo Alto Networks. KeRanger saddled itself aboard a Trojanized version of the Transmission BitTorrent client in an attempt to infect Mac users. The fact that it was signed with a real Apple cert gave it legitimacy and allowed it to slip native OS X protections. But the ransomware shot itself in the foot by including a three-day period during which it lay dormant. This gave researchers a window to inform Apple and Transmission to block the certificate and remove the malware from client downloads.

“Ransomware is a great way for criminals to make a ton of money,” Wardle said. “If you hack a computer and get credit card numbers, most have no idea what to do with that [stolen] data. You have to approach someone to get money out of those credit cards.

“Now, you can write ransomware, and maybe crack a version of an app, put it up on Pirate Bay, and get a ton of infections and send me ransoms in Bitcoin. That’s what’s driving this; it’s easy money and kinda crazy.”

Wardle explains that his utility flags behavior as ransomware by first going through a number of checks, for example making a determination whether to trust a running process. Processes signed by Apple, or those approved by the user, are trusted, for example. It then monitors the behavior of untrusted processes to determine if new files that are created or modified are encrypted. If said processes create encrypted files quickly, the utility generates an alert that suspends the process and asks the user how to proceed.

Wardle acknowledges that his 1.0 of version of the RansomWhere? utility has its limitations, and that the tool can be bypassed. Detection, he said, is reactive and the user is likely to lose a few files before an alert is generated and the offending process is suspended. The utility also will trust binaries signed by Apple and will not detect infections via injections into a signed binary. Wardle has published full technical details of how the utility detects ransomware and handles running processes.

In the meantime, Wardle said he isn’t done. Future iterations of RansomWhere? would ideally monitor all files on an OS X machine, not just user directories. He’d also like to push detection into the kernel and afford more protection at that level.

“This is the first tool where timing is paramount,” Wardle said.

Suggested articles