The first ransomware-as-a-service to hit MacOS?

MacRansom demands more than £500 to decrypt ransomed files

It is easy to believe that Macs are secure against ransomware - most, after all, targets Windows PCs; Fortinet's security research team, FortiGuard Labs, says that as much as 90 per cent of ransomware is aimed at Microsoft's OS, and only 6 per cent at MacOS.

However, the firm has found a variant that is supposedly the first evidence of ransomware-as-a-service (RaaS) affecting Apple machines. It is known as MacRansom.

The tool uses a web portal hosted in a TOR network (an anonymous network that bounces the signal around a relay of volunteer computers, to conceal the source); an increasingly-popular form of attack. The variant is not readily available through the portal; buyers must contact the author(s) directly to build the ransomware.

How does it operate?

MacRansom uses a basic delivery vector, in that the owner of the machine must agree to run a programme from an unidentified developer before the infection takes place, or have it physically installed from an external drive. If they do so, the ransomware will check two things: if it is being run in a non-Mac environment, and if it is being debugged. If either condition is not met, it will terminate.

The next step is to create a launch point (the file name purposefully mimics a legitimate file). The ransomware will run on every start up and encrypts on a specified trigger time. When that time comes, the ransomware begins to encrypt files on the computer - in what FortiGuard notes is a slightly unusual but still effective method. A maximum of 128 files will be locked.

FortiGuard was looking for any RSA-crypto routines; however, like the delivery vector the ransomware itself is not very sophisticated, and instead uses a symmetric encryption with a hardcoded key. Two sets of keys are used: ReadmeKey (0x3127DE5F0F9BA796), which decrypts the ransom notes and instructions, and TargetFileKey (0x39A622DDB50B49E9), which performs the encrypt/decrypt on the user's files.

TargetFileKey is altered with a random number generator: the encrypted files cannot be decrypted once the malware has terminated, in other words. It also has no function to communicate with the command and control server, so there is no readily-available copy of the key to use. While recovery of the TargetFileKey is still technically possible using a brute force attack, FortiGuard is ‘sceptical' of the author's claim to be able to decrypt the hijacked files.

Post-encryption of the targeted files, MacRansom encrypts com.apple.finder.plist and the original executable. It changes the time date stamp and then deletes them. This means that even if recovery tools are used to obtain the ransomware artefacts, the files will be of no use to them.

Users are instructed to contact a specific email address and send some of their encrypted files, which will be decrypted as proof. The author asks for 0.25 Bitcoin (about £540) to unlock all of the files.

Basic but dangerous

Ransomware is still not common on Mac computers, and most found there today is significantly less advanced than that targeting Windows. However, MacRansom can still capably encrypt files.

FortiGuard believes that MacRansom is being developed by copycats, as it contains code and ideas that appear to have been taken from previous ransomware targeting OSX.

Computing 's Enterprise Security and Risk Management Summit 2017 will be held 23rd November at the Tower Bridge Hilton.