PINDROP BLOG

New Tool Detects Ransomware on OS X

Ransomware has become a serious threat for both businesses and consumers, and security researchers have had a difficult time addressing it, both in detection and cleanup. But now one researcher has developed a tool that he believes can work as a generic detection mechanism for ransomware on OS X systems.

Known as RansomWhere?, the tool provides a number of features and functions that are meant to detect when a piece of ransomware is active on a system and terminate the encryption process it’s using. While not as much of a problem on OS X as on Windows, ransomware is beginning to pop up on Apple machines. There are a number of OS X ransomware variants known to be active, most notably KeRanger, which was discovered in compromised BitTorrent clients last month.

“The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files,” an analysis of KeRanger by Palo Alto Networks says.

Patrick Wardle, a prolific OS X security researcher, decided to look at the ransomware problem on the platform and see if there was a method for generically detecting ransomware at work on a system before all is lost. He looked at a number of approaches and settled on the idea of monitoring the I/O operations on files and looking for untrusted processes that are quickly encrypting files. RansomWhere? has five basic functions, beginning with persistence on the machine, taking a baseline snapshot of the system, classifying the running processes, monitoring file I/O activity, and processing those I/O events indefinitely.

“I tested it against all publicly available OS X ransomware…It was able to generically detect all of them.”

Wardle said the tool works against all of the known ransomware variants for OS X.

“I tested it against all publicly available OS X ransomware (granted thats only a few specimens, so the breadth of testing is somewhat limited). It was able to generically detect (and thus suspend) all of them,” Wardle said via email.

The RansomWhere? tool is installed as a launch daemon and and remains running at all times. After the tool takes a baseline picture of the system, it then classifies the running processes as either trusted or untrusted. All Apple processes are trusted, while most others are not. The tool then starts monitoring file I/O events and processing them. There are several pieces to the event processing step:

    1. is path of interest?
    2. is process trusted?
    3. is file encrypted?
    4. is (untrusted) process rapidly creating encrypted files? note: if the answer is ‘NO’ to any of these, loop to #5
    5. suspend process as its likely ransomware
    6. alert the user and handle the response (resume/terminate)

If RansomWhere discovers a process that looks like ransomware, it will suspend it and notify the user with an alert dialog.

“Alerts shown by RansomWhere? contain two important pieces of information; the process that RansomWhere? has suspended (until the user allows or terminates it), and the list of encrypted files that the process has created. If the user trusts the process, or the files created by the process are legitimate, they should click ‘allow’ to allow the program to continue executing in an unabated manner. On the other hand, if the user does not recognize the process or the files it is creating, they should click ‘terminate’ to kill it,” Wardle said in a description of the new tool.

Wardle said in his description that there are some limitations to RansomWhere?, namely the fact that a piece of ransomware may be able to encrypt some files before the tool detects it and kicks in. He said there are some methods that could potentially address this, such using file canaries or moving some code into the kernel. Ransomware authors have been improving their malware quickly, and Wardle said defenses have not been able to keep up.

“Sadly, current anti-virus solutions have proven ineffective at protecting users – so IMHO, another more generic methodology for detecting and thwarting ransomware is needed,” he said.

Wardle added that he has some other ideas about improvements for the next version of RansomWhere? too.

“I’d also like to continue trying to reduce false positives (the encryption classification algorithm can likely be improved, and maybe add some whitelisting for known good applications that create encrypted files). Also, as more OS X ransomware emerges, I’ll continue to study those to ensure the tool can generically detect those,” he said.

The back-and-forth game between malware authors and security researchers includes attempts by attackers to detect and disable security tools. For years, malware authors have included capabilities in their creations that can detect whether they’re being executed inside a virtual machine or sandbox, two telltale signs that the malware is being analyzed. Wardle said if a specific piece of ransomware targeted his tool, it could likely bypass it, but that doesn’t mean RansomWhere? isn’t effective.

“That is, the protections afforded by any security tool, if specifically targeted, can be bypassed. That is to say, if ransomware was designed to specifically bypass RansomWhere? it would likely succeed,” he said.

“My tool was designed to be generic though, so hopefully for any new ransomware (that isn’t directly attacking it) RansomWhere? can automatically defend against it!”

This story was edited on April 21 to add comments from Wardle.