Security researcher Patrick Wardle has been looking at ways to generically detect ransomware attacks on Mac OS X systems and he has developed a tool that appears to be capable of accomplishing the task.
Wardle, director of research at Synack, is well-known in the industry for bypassing Apple’s Gatekeeper security feature. The expert has developed several OS X security tools in the past and on Wednesday he announced the release of a new one.
The tool, named “RansomWhere?”, is designed to detect and block any type of file-encrypting ransomware on OS X by continually monitoring the file system for the creation of encrypted files by suspicious processes.
There have been several reports over the past years about ransomware targeting Mac OS X users. Early threats were designed to simply lock users’ browsers and could be easily removed, but newer ransomware, such as KeRanger, pose a more serious threat.
KeRanger, which is considered the first fully functional ransomware targeting OS X, attempts to encrypt 300 different file types on infected systems. The malware bypassed Gatekeeper because it was delivered via a compromised installer that was signed with a valid app development certificate issued by Apple.
After analyzing various pieces of ransomware, Wardle came up with the idea that such threats can be generically identified by monitoring file I/O events and detecting the rapid creation of encrypted files by untrusted processes. For this, he needed to find ways to monitor file I/O events, determine if a file is encrypted, and identify untrusted processes.
There are several tools and methods that can be used to monitor file I/O events on OS X, including dtrace, fs_usage, OpenBSM, and fsevents. The expert chose the direct use of fsevents, which he also leveraged in another one of his tools called BlockBlock.
In order to determine if a file is encrypted, Wardle used available documentation on differentiating encryption from compression based on mathematical calculations.
The researcher told SecurityWeek that the same principle could also work on Windows and Linux operating systems. When he came up with the idea for RansomWhere?, Wardle found discussions about CryptoMonitor, an apparently similar Windows anti-ransomware tool that Malwarebytes has started integrating in its products.
Seems to be, Ransomware fights back are finally being released. On the other hand, this type of malware ended up to be a very efficient way for crackers to gain their cash, so we must expect a long coding war. On one side, crackers. On the other side, researchers & analysts. In the middle, users.
Original article: New Tool Aims to Generically Detect Mac OS X Ransomware | SecurityWeek.Com
Wardle, director of research at Synack, is well-known in the industry for bypassing Apple’s Gatekeeper security feature. The expert has developed several OS X security tools in the past and on Wednesday he announced the release of a new one.
The tool, named “RansomWhere?”, is designed to detect and block any type of file-encrypting ransomware on OS X by continually monitoring the file system for the creation of encrypted files by suspicious processes.
There have been several reports over the past years about ransomware targeting Mac OS X users. Early threats were designed to simply lock users’ browsers and could be easily removed, but newer ransomware, such as KeRanger, pose a more serious threat.
KeRanger, which is considered the first fully functional ransomware targeting OS X, attempts to encrypt 300 different file types on infected systems. The malware bypassed Gatekeeper because it was delivered via a compromised installer that was signed with a valid app development certificate issued by Apple.
After analyzing various pieces of ransomware, Wardle came up with the idea that such threats can be generically identified by monitoring file I/O events and detecting the rapid creation of encrypted files by untrusted processes. For this, he needed to find ways to monitor file I/O events, determine if a file is encrypted, and identify untrusted processes.
There are several tools and methods that can be used to monitor file I/O events on OS X, including dtrace, fs_usage, OpenBSM, and fsevents. The expert chose the direct use of fsevents, which he also leveraged in another one of his tools called BlockBlock.
In order to determine if a file is encrypted, Wardle used available documentation on differentiating encryption from compression based on mathematical calculations.
The researcher told SecurityWeek that the same principle could also work on Windows and Linux operating systems. When he came up with the idea for RansomWhere?, Wardle found discussions about CryptoMonitor, an apparently similar Windows anti-ransomware tool that Malwarebytes has started integrating in its products.
Seems to be, Ransomware fights back are finally being released. On the other hand, this type of malware ended up to be a very efficient way for crackers to gain their cash, so we must expect a long coding war. On one side, crackers. On the other side, researchers & analysts. In the middle, users.
Original article: New Tool Aims to Generically Detect Mac OS X Ransomware | SecurityWeek.Com
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
