Close this search box.

Written by: Mike Yang

The author of a generic detection tool for Mac OS X ransomware has updated the application, adding a number of new capabilities, including support for full file-system monitoring and support for older versions of the OS.
RansomWhere? is a tool written by security researcher Patrick Wardle for the purpose of detecting and stopping ransomware behavior on OS X machines. The application doesn’t use signatures or look for one or two specific ransomware variants, but instead monitors the file system and looks for untrusted processes that are encrypting files at a rapid rate. Wardle said RansomWhere? is effective against the limited number of known OS X ransomware samples“I tested it against all publicly available OS X ransomware (granted thats only a few specimens, so the breadth of testing is somewhat limited). It was able to generically detect (and thus suspend) all of them,” Wardle said via email.
Version 1.1 of RansomWhere? includes the ability to monitor the entire file system, an upgrade over the initial release, which monitored only the /users/* directory. The tool looks for untrusted processes that are rapidly encrypting files and checks for a few attributes, including whether the path is of interest, and then suspends the process and alerts the user. The user then can terminate the process. At the time of installation, the app takes a baseline snapshot of the computer to enumerate installed apps.
Patrick Wardle Podcast

The new version of RansomWhere? also includes support for versions of OS X back to 10.8 and has an improved installation process and better UI. Version 1.1 also now trusts all applications signed and verifies from the Mac App Store and whitelists a set of antimalware products.
Ransomware for OS X systems is still a much smaller issue than on Windows PCs, but the threat is real. The first real, functioning piece of OS X ransomware is called KeRanger and it was discovered in the wild in March. KeRanger was found in a compromised BitTorrent client and is capable of communicating with its command-and-control servers over Tor. As with anything else, where there is money to be made, more versions of Mac ransomware will emerge.
Wardle plans to continue development on RansomWhere?, working on reducing false positives and ensuring that the tool can detect any new variants of ransomware that pop up.