PINDROP BLOG

New macOS Ransomware Service Emerges

The ransomware scourge is beginning to creep, ever so slightly, into the Apple ecosystem, as researchers have discovered a new service hosted on the Tor network that will develop custom ransomware samples for buyers on demand.

The ransomware as a service model is not new, but this is believed to be the first one that targets macOS specifically. In order to gain access to the ransomware, a buyer would need to locate the portal on the Tor network and then get in touch with the creator via email. Weirdly, in their email response to inquiries, the MacRansom creators claim to be legitimate security researchers who saw a market need and decided to address it.

“We are engineers at Yahoo and Facebook. During our years as security researchers we found that there lacks sophisticated malewares [sic] for Mac users,” the email says, according to a post by Rommel Joven and Wayne Chin Yick Low of Fortinet, who analyzed the MacRansom malware

“We believed people were in need of such programs on MacOS, so we made these tools available for free. Unlike most hackers on the darknet, we are professional developers with extensive experience in software development and vast interest in surveillance. You can depend on our software as billions of users world-wide rely on our clearnet products.”

By corresponding with the ransomware creators over email, the researchers learned that they could specify the date and time when they’d like the ransomware to execute, as well as the ransom amount. After agreeing on the date and ransom amount, the researchers received the ransomware sample and began analyzing it. What they found was a relatively amateurish piece of malware, but one that could do some damage nonetheless.

MacRansom performs several anti-analysis checks, which is common for ransomware, and then copies itself to a specific location on the hard drive and waits for the execution time. Once that time comes, the ransomware begins its encryption routine. The malware only can encrypt 128 files and it uses a hardcoded key to encrypt the victim’s files.

“A remarkable thing we observed when reverse-engineering the encryption/decryption algorithm is that the TargetFileKey is permuted with a random generated number.  In other words, the encrypted files can no longer be decrypted once the malware has terminated – the TargetFileKey will be freed from program’s memory and hence it becomes more challenging to create a decryptor or recovery tool to restore the encrypted files,” Joven and Low said.

“Moreover, it doesn’t have any function to communicate with any C&C server for the TargetFileKey meaning there is no readily available copy of the key to decrypt the files. However, it is still technically possible to recover the TargetFileKey. One of the known techniques is to use a brute-force attack. It should not take very long for a modern CPU to brute-force an 8-byte long key when the same key is used to encrypt known files with predictable file’s contents. Nevertheless, we are still skeptical of the author’s claim to be able to decrypt the hijacked files, even assuming that the victims sent the author an unknown random file, as shown in Figure 12 ‘Ransom Note,’ which is not entirely true.”

Joven and Low said that while the MacRansom malware isn’t nearly as sophisticated as other pieces of macOS ransomware, it still poses a threat to users, especially given the ransomware-as-a-service model. That distribution mode potentially makes the ransomware available to a wide audience without any expertise or technical knowledge.

CC By license image by Quentin Meulepas

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed