sb-nz logo
Story image

It's time for MacRansom: New ransomware goes after MacOS

19 Jun 2017

Fortinet has warned of a Ransomware-as-a-Service (RaaS) that is making its home on a webportal hosted on the TOR network, but this one specifically targets MacOS.

Fortinet says that because 92% of computers run Windows and 6% run MacOS, Mac users are often fooled into thinking their systems are secure.

However that thinking has been disproved and Fortinet believes MacRansom could be one of the first RaaS that targets Mac OS.

The ransomware demands 0.25 bitcoin, or around $700 US to decrypt files. The problem is, there may not be a way to decrypt files.

According to the creators, MacRansom has been designed for those who want to 'covertly retaliate' against another Mac user or those who want to attack 'unsuspecting family members, friends, colleagues and classmates'.

However, interested attackers must have physical access to the potential victim's Mac, unless they have social engineering skills that can trick users into downloading the ransomware. For an extra fee, the creators can deliver the ransomware over AirDrop and email.

According to Fortinet, they didn't believe that MacRansom was legitimate at first, they dug deeper into the mystery and contacted the creators.

The creators claimed they were Facebook and Yahoo engineers - "professional developers with experience in software development and vast interest in surveillance".

They also claimed the ransomware is invisible to Mac users until scheduled execution time; can encrypt files using 128 bit encryption in less than a minute; and has no digital trace associating it with buyers.

According to MacRansom's FAQ section, Mac users are willing to pay as much as $1000 to get their computer files back. It even boasts that $26,500 was paid by one small business owner.

Fortinet examined the claims and found that the ransomware checks to see if it's running in a Mac environment to detect whether it is being debugged.

Research also found that the encrypted files can't be decrypted once the malware has terminated. It does not try to communicate with the C&C server to gain access to the key for file decryption.

The company encourages users to be wary of opening files from unidentified sources and to make backups of their data, particularly as there may be no way to decrypt their files if they are affected by MacRansom.

When it comes to security, the only constant is change, whether it is the way networks are evolving or how these changes are creating new opportunities for criminals," commentsAamir Lakhani, Fortinet Senior Security Strategist. 

“It is imperative that companies approach security from a holistic perspective. This includes making sure that every device is protected across all threat vectors, including Mac devices that were thought to be secure.”

In response to this new wave of brazen ransomware attacks, Fortinet recommends Mac users to take the following preventive measures:

1. Apply patches and updates. Apple regularly provides security updates. Users must make sure they take the time to apply them.

2. Backup your device. Apple’s Time Machine service will automatically create full system backups, which means that should a system get ransomed, one could simply wipe the device and perform a full system restore from backup. Regularly scan backups for vulnerabilities and store these backups offline. Offline storage is vital because Time Machine backup systems are often persistently connected to the device being backed up, and risk being compromised during an attack.

3. Encrypt data stored on device. While this may not be effective against many ransomware variants, it is still a good practice as it can protect an organisation should any device become infected with malware that is designed to steal files and data.

4. Install an endpoint security client. Look for endpoint solutions that will not only protect your device, but tie that security back into your network security strategy, allowing you to leverage and share threat intelligence to better protect your device and its assets.

5. Deploy security that covers other threat vectors.  As email is still the number one source for malware and infection, ensure that a robust email security solution is deployed. The same is true for web security tools, wired and wireless access controls, cloud-based security, and network segmentation strategies that help detect, isolate, and respond to threats found anywhere across a distributed environment.

Story image
Pandemic sees organisations of all sizes and industries invest in CTI
There is opportunity for organisations to better manage their cyber-threat intelligence for greater security and threat intelligence effectiveness by adopting the right tools and processes.More
Story image
Soft Solutions rolls out new WatchGuard billing system for NZ
"This flexible procurement model builds upon our partner first strategy, supports companies in their cloud transformation and allows them to benefit from increased protection and flexible, scalable IT infrastructure."More
Story image
ThreatQuotient hits $22.5m in new financing, continues growth streak
“Since we first invested in ThreatQuotient in 2017, their team has continued to prove to the market that there is a critical need for cybersecurity solutions aimed at security operations."More
Story image
Data transparency increasingly important, Kaspersky study states
“It is clear from the data that people have developed a sense of control and they are now demanding openness about how and where their data is being managed."More
Story image
Why a more secure organisation is a collective responsibility
With vast volumes of data moving to the cloud, many IT professionals are frequently challenged to protect their enterprise environment, and there is a greater focus being placed on advancing cybersecurity strategies.More
Story image
Cybercriminals influencing financial markets, report finds
The financial sector is being targeted by cybercrime cartels and nation-states, and the bank heist has evolved significantly — from a heist to a hostage situation.More