SECURITY RESEARCHERS have found the first evidence of ransomware-as-a-service (RaaS) affecting Apple machines, dubbed 'MacRansom.'
Fortinet's security research team, FortiGuard Labs, uncovered the tool, which uses a web portal hosted in a TOR network (an anonymous network that bounces the signal around a relay of volunteer computers, to conceal the source); an increasingly-popular form of attack. The variant is not readily available through the portal, and instead, buyers must contact the author(s) directly to build the ransomware.
MacRansom uses a basic delivery vector, in that the owner of the machine must agree to run a programme from an unidentified developer before the infection takes place, or have it physically installed from an external drive. If they do so, the ransomware will check two things: if it is being run in a non-Mac environment, and if it is being debugged. If either condition is not met, it will terminate.
The next step is to create a launch point (the file name purposefully mimics a legitimate file). The ransomware will run on every start up and encrypts on a specified trigger time. When that time comes, the ransomware begins to encrypt files on the computer - in what FortiGuard notes is a slightly unusual but still effective method. A maximum of 128 files will be locked.
FortiGuard was looking for any RSA-crypto routines; however, like the delivery vector, the ransomware itself is not very sophisticated and instead uses a symmetric encryption with a hardcoded key. Two sets of keys are used: ReadmeKey (0x3127DE5F0F9BA796), which decrypts the ransom notes and instructions, and TargetFileKey (0x39A622DDB50B49E9), which performs the encrypt/decrypt on the user's files.
TargetFileKey is altered with a random number generator: the encrypted files cannot be decrypted once the malware has terminated, in other words. It also has no function to communicate with the command and control server, so there is no readily-available copy of the key to use. While recovery of the TargetFileKey is still technically possible using a brute force attack, FortiGuard is ‘sceptical' of the author's claim to be able to decrypt the hijacked files.
Post-encryption of the targeted files, MacRansom encrypts com.apple.finder.plist and the original executable. It changes the time date stamp and then deletes them. This means that even if recovery tools are used to obtain the ransomware artefacts, the files will be of no use to them.
Users are instructed to contact a specific email address and send some of their encrypted files, which will be decrypted as proof. The author asks for 0.25 Bitcoin (about £540) to unlock all of the files.
Ransomware is still not common on Mac computers, and most found there today is significantly less advanced than that targeting Windows. However, MacRansom can still capably encrypt files.
FortiGuard believes that MacRansom is being developed by copycats, as it contains code and ideas that appear to have been taken from previous ransomware targeting OS X. µ
A whole new way to be tied to your ISP
Search giant puts Epyc chips at the heart of its datacentre servers
Notch-equipped handset quickly overtakes its cheaper siblings
Good news for developers; a collective shrug for everyone else