Ransomware is no respecter of reputation
Ransomware is no respecter of reputation

Mac computers are being targeted by a new strain of malware created to infect the OS.

In a blog post, security researchers Rommel Joven and Wayne Chin Yick Low of Fortinet said that they detected ransomware created for MacOS that is being offered as ransomware as a service (RaaS) on the Dark Web.

The RaaS uses a web portal hosted in a TOR network. Researchers said this could be the first time anyone has seen RaaS that targets the Apple operating system.

This MacRansom variant is not readily available through the portal. It is necessary to contact the author directly to build the ransomware, said researchers. “At first, we thought of it as a scam since there was no sample but to verify this we dropped the author an email and unexpectedly received a response.”

They got a response back from people claiming to be engineers at Facebook and Yahoo. In the email, the “engineers” said: “We believed people were in need of such programs on MacOS, so we made these tools available for free. Unlike most hackers on the darknet, we are professional developers with extensive experience in software development and vast interest in surveillance. You can depend on our software as billions of users world-wide rely on our clearnet products.”

The researchers eventual received a zip file of the malware and analysed it. The malware checks to see if it being run in a Mac environment and that it's not being debugged. If these conditions are not met, the ransomware terminates.

Otherwise, the malware encrypts Mac files with hardcoded symmetric keys called ReadMeKey and TargetFileKey. It stops after 128 files. The ransomware asks victims for 0.25 Bitcoin (£560) for the files to be decrypted.

Researchers said that when reverse-engineering the encryption/decryption algorithm, the TargetFileKey is permuted with a random generated number. “In other words, the encrypted files can no longer be decrypted once the malware has terminated – the TargetFileKey will be freed from program's memory and hence it becomes more challenging to create a decryptor or recovery tool to restore the encrypted files,” the researchers said.

“Moreover, it doesn't have any function to communicate with any C&C server for the TargetFileKey meaning there is no readily available copy of the key to decrypt the files.”

Researchers added that it was possible to recover the TargetFileKey using a brute force attack.

“It should not take very long for a modern CPU to brute-force an 8-byte long key when the same key is used to encrypt known files with predictable file's contents,” they said.

The researchers remained sceptical of the author's claim to be able to decrypt the hijacked files, even assuming that the victims sent the author an unknown random file.

Steve Mulhearn, ‎director of business development at Fortinet, told SC Media UK that cyber-criminals are motivated to target specific operating systems such as Mac and Windows by how high their chances of success are. In the past, when more people were using Windows than MacOS, it made more sense for cyber-criminals to focus their energies there, giving rise to the false perception that Apple products were more secure.

“However, as the number of people using MacOS increases, so too does the incentive for cyber-criminals to target them, so we can expect to see more malware tailored specifically to it,” he said. 

“Security companies must work more closely with Apple in order to find ways to combat this. Whilst Mac security programming etiquette remains much stricter than some of its competitors, it's important to remember that no operating system is perfect and any vulnerability, no matter how small, can be exploited for financial gain.” 

Pete Turner, consumer security expert at Avast, told SC that the discovery of new ransomware and spyware variants which target MacOS is hardly surprising, given the increase in open-source ransomware programs and licensed malware development found on hacking forums.

“Consumers need to be aware that the notion that there are more vulnerabilities in Windows than MacOS, which render it less secure, is a fallacy. Rather it's the smaller install base which makes MacOS a less attractive target for malware developers. Mac owners need to take the same precautions as PC owners when protecting their devices by using a reputable third-party antivirus software,” he said.

Peter Ewane, a security researcher at AlienVault, told SC that people generally assume when they are using Macs they are relatively safe from malware.

“This has been a generally true statement, but this belief is becoming less and less true by the day, as evidenced by the increasing diversity in Mac malware along with this name family. While this piece of Mac malware may not be the most stealthy program, it is feature rich and it goes to show that as OS X continues to grow in market share, we can expect malware authors to invest greater amounts of time in producing malware for this platform,” he said.