Story image

It's time for MacRansom: New ransomware goes after MacOS

19 Jun 2017

Fortinet has warned of a Ransomware-as-a-Service (RaaS) that is making its home on a webportal hosted on the TOR network, but this one specifically targets MacOS.

Fortinet says that because 92% of computers run Windows and 6% run MacOS, Mac users are often fooled into thinking their systems are secure.

However that thinking has been disproved and Fortinet believes MacRansom could be one of the first RaaS that targets Mac OS.

The ransomware demands 0.25 bitcoin, or around $700 US to decrypt files. The problem is, there may not be a way to decrypt files.

According to the creators, MacRansom has been designed for those who want to 'covertly retaliate' against another Mac user or those who want to attack 'unsuspecting family members, friends, colleagues and classmates'.

However, interested attackers must have physical access to the potential victim's Mac, unless they have social engineering skills that can trick users into downloading the ransomware. For an extra fee, the creators can deliver the ransomware over AirDrop and email.

According to Fortinet, they didn't believe that MacRansom was legitimate at first, they dug deeper into the mystery and contacted the creators.

The creators claimed they were Facebook and Yahoo engineers - "professional developers with experience in software development and vast interest in surveillance".

They also claimed the ransomware is invisible to Mac users until scheduled execution time; can encrypt files using 128 bit encryption in less than a minute; and has no digital trace associating it with buyers.

According to MacRansom's FAQ section, Mac users are willing to pay as much as $1000 to get their computer files back. It even boasts that $26,500 was paid by one small business owner.

Fortinet examined the claims and found that the ransomware checks to see if it's running in a Mac environment to detect whether it is being debugged.

Research also found that the encrypted files can't be decrypted once the malware has terminated. It does not try to communicate with the C&C server to gain access to the key for file decryption.

The company encourages users to be wary of opening files from unidentified sources and to make backups of their data, particularly as there may be no way to decrypt their files if they are affected by MacRansom.

When it comes to security, the only constant is change, whether it is the way networks are evolving or how these changes are creating new opportunities for criminals," commentsAamir Lakhani, Fortinet Senior Security Strategist. 

“It is imperative that companies approach security from a holistic perspective. This includes making sure that every device is protected across all threat vectors, including Mac devices that were thought to be secure.”

In response to this new wave of brazen ransomware attacks, Fortinet recommends Mac users to take the following preventive measures:

1. Apply patches and updates. Apple regularly provides security updates. Users must make sure they take the time to apply them.

2. Backup your device. Apple’s Time Machine service will automatically create full system backups, which means that should a system get ransomed, one could simply wipe the device and perform a full system restore from backup. Regularly scan backups for vulnerabilities and store these backups offline. Offline storage is vital because Time Machine backup systems are often persistently connected to the device being backed up, and risk being compromised during an attack.

3. Encrypt data stored on device. While this may not be effective against many ransomware variants, it is still a good practice as it can protect an organisation should any device become infected with malware that is designed to steal files and data.

4. Install an endpoint security client. Look for endpoint solutions that will not only protect your device, but tie that security back into your network security strategy, allowing you to leverage and share threat intelligence to better protect your device and its assets.

5. Deploy security that covers other threat vectors.  As email is still the number one source for malware and infection, ensure that a robust email security solution is deployed. The same is true for web security tools, wired and wireless access controls, cloud-based security, and network segmentation strategies that help detect, isolate, and respond to threats found anywhere across a distributed environment.

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.
Red Box gains compliance boost with new partnership
By partnering with Global Relay, voice platform provider Red Box is improving the security of its offerings for high-value and risk voice data.