Researcher develops tool that blocks OS X crypto-ransomware

In his spare time, security expert Patrick Wardle (who’s also director of R&D at Synack) creates OS X security tools. The latest addition to his collection is RansomWhere?, a tool for foiling OS X crypto-ransomware.

Luckily for Mac users, OS X crypto-ransomware is not at all widespread, and the impact of these treats has been very limited, but Wardle is not satisfied with waiting for crypto-ransomware to become a big problem for Mac users in order to do something.

“I don’t claim to be an expert on ransomware, but after studying various specimens, a general (and obvious?) commonality seems to be that ransomware rapidly encrypts user files,” he noted. “So to me, this rapid encryption of user files, seemed like a promising heuristic that could lead to the generic detection and prevention of ransomware.”

RansomWhere?, therefore, monitors file I/O events (via the FSEvents API in OS X), determines if a file is encrypted or not (via a mathematical construct), and determines if the process that creates the encrypted files is untrusted (in order to avoid constant false positives).

If it is, it will be suspended, and users will be shown an alert that asks them to decide whether the process should be allowed to continue, or whether it should be terminated:

OS X crypto-ransomware alert

The tool trusts any process’s binary signed by Apple and applications already installed when it’s first run.

“Everything else is assumed to be untrusted, and thus will generate an alert if detected rapidly generating encrypted files,” says Wardle, but points out that these trust assumptions may be abused by ransomware with prior knowledge of them.

“For example, if the ransomware injects itself into a trusted Apple process at runtime to perform its encryption, this would likely allow it to remain undetected,” he explained.

Other limitations of the tool are that it currently only checks files created in the users’ home directories, because of the assumption the ransomware will encrypt user’s files likely within the same location/directory, and that before the tool detects and suspends the process, it’s likely that a small number of files will end up being encrypted.

Nevertheless, when tested with known malware samples, it works as it should.

Since this is a new piece of software, Wardle says that it might be unstable or contain bugs, so he warned users to use it at their own risk. Also, he pointed out that they should not be alarmed that the software asks them for their computer password.

“In order to continually monitor the file-system for encrypted files, RansomWhere? requires system privileges. As such, the tool requests a password (via a standard authorization prompt) during installation/uninstallation,” he explained.

The tool can be picked up here, and instructions on how to install it and use it can be found here.