RansomWhere watches Mac processes for suspicious encryption operations and stops processes before causing any damages
Despite not being a
big problem for Mac users yet, Patrick Wardle, lead researcher at
Synack, has created a nifty little app that can identify ransomware-like
behavior by detecting the quick creation of encrypted files, stop the
suspicious process, and then alert the user.
Called RansomWhere, this tool is very similar to what Sean Williams created almost a month ago with his CryptoStalker project, a generic ransomware detection system for Linux.
RansomWhere can stop apps that generate a lot of encrypted content
Just like CryptoWalker, RansomWhere works by
watching the user's local filesystem for the creation of a large number
of encrypted files. Mr. Wardle's app goes a step further by temporarily
suspending the process that generates the massive amount of encrypted
content, and prompting the user to verify and approve its actions.
RansomWhere may cause some false positives, but it's always better to be safe than sorry.
By default, RansomWhere scans unsigned Mac apps and
binaries signed with an Apple developer ID. The only binaries
RansomWhere ignores are those signed by official Apple certificates.
The downside is that if ransomware injects and
hijacks the process of an Apple-signed binary, the tool won't be able to
pick it up. Another downside is that RansomWhere takes a bit to detect
ransomware infections, by which time some files might be already
encrypted.
Ransomware for Macs not yet a (big) problem
At the start of March, KeRanger,
the first fully functional Mac-targeting ransomware appeared on the
scene after it infected users via tainted versions of the Transmission
BitTorrent client for Mac.
Before this, a Brazilian coder also created a proof-of-concept ransomware variant called Mabouia, which was never released and eventually handed over to Apple's security staff.
Ransomware is not yet a danger to the Mac ecosystem,
and more Linux users suffered from ransomware compared to Mac users.
This statistics leans towards Linux users because of many ransomware
variants that target Linux servers, such as Linux.Encoder, CTB-Locker, and KimcilWare.
For users who like their privacy, just be aware that
RansomWhere will ask for your Mac password in order to continually
monitor your workstation's processes.
RansomWhere alerting users of a potential ransomware encryption process
Post a Comment