Ransomware is shaping up to be a bigger, badder threat in 2017 than in just about all the years prior combined since the appearance of the first noted ransomware infection. And from last week's reveal of SambaCry, the Linux flavor of the WannaCry vulnerability, it seems Windows and Linux users have their work cut out for them.
But what of Apple users? Surely, you don't think they're immune to all of this. If you do, then step into my office... I have got a bridge to sell you.
But seriously, Mac malware has been ramping up just as fast as other OSes with no slowing down in sight with a 744% increase in 2016, according to a report by McAfee. With the combination of increased market share and end-user base, this makes macOS a prime target for attackers.
SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF) (TechRepublic)
As malware evolves, the tools to protect against it must as well. Enter RansomWhere? by Objective-See. Designed as a heuristics-based tool, its aim is to "generically thwart OS X ransomware" by identifying the single common-point to all ransomware: creating encrypted files on an infected system.
RansomWhere? actively monitors the system for processes that are encrypting files and then halts the thread temporarily (this is how other similar applications work, too)—it does now detect infections. The user is alerted to this encryption attempt and prompted to either allow the thread to continue or terminate it altogether, stopping the encryption dead in its tracks.
How to install the RansomWhere? app
The installation process is rather simple. It can be executed by launching the installer that is extracted from the ZIP file, or it can be scripted. For deployment purposes, the scripted install is included here. (Please note: Newer versions of the app use a slightly different command to install than what is reported on the Objective-See website.)
- Extract the installer to a network share or local directory.
- Launch Terminal.
- Enter the path to the installer's command line-based executable and press Enter to install.
sudo /Server/share/RansomWhere_installer.app/Contents/MacOS/RansomWhere_installer -install
Admin credentials are required to complete the installation. Once it's done, the words "install ok!" will be echoed back on-screen to confirm a successful installation (Figure A).
To verify the installation, open the Activity Monitor and select View | All Processes. Search for the process titled RansomWhere to confirm it is operational.
During its initial loading, the app will run in the background and utilize a significant amount of CPU resources. This is normal as the app runs an inventory of your system to whitelist currently installed applications and create a baseline from which to start active monitoring. After a few minutes, the CPU % will drop down to its normalized operating percentage of 0.2% (Figure B) (Figure C).
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
In order to properly vet a security application, you should test it against real-world threats—how else are you going to know that the app actually does what it claims?
With that mind-set, I prepared a test with a freshly installed copy of macOS Sierra, no updates, an unfiltered network connection to the internet, and approximately 2 GB worth of file types that ransomware is known to target, such as DOCs, PDFs, and JPGs. Lastly, I decided to go with the KeRanger ransomware, so I installed and ran the infection app on the system, verifying that the system had become infected (Figure D).
Testing and results
After letting the system run unfettered for several days, I found that the files did not become encrypted, though not because of RansomWhere? but, for some odd reason, it simply did not happen. Call it a fluke or just plain luck. I checked, and RansomWhere? was still running on the system, and there was no activity from the command and control (C&C) server accessed by KeRanger during the initial infection stage.
With the test not fully being able to realize RansomWhere?'s potential, I decided to switch gears and create a small app in Automator that when executed would cause megabytes of data to be copied and encrypted on the Desktop (Figure E) (Figure F).
I ran this test twice. The first time I ran it from the system after it had created the baseline with no interference from RansomWhere?. The second time I cleared the list of known applications that were approved by RansomWhere? by running the command below (Figure G):
sudo /Library/Objective-See/RansomWhere/RansomWhere -reset
After running the test again a second time after removing Automator from the list and prior to rerunning the baseline again, my test app successfully copied and encrypted files on the system without so much as a peep from RansomWhere?. When attempting to access the files, the password prompt appeared, meaning the files were encrypted and inaccessible (Figure H) (Figure I).
The bottom line
From my experience, though RansomWhere? is a great concept, the fact that it did not trigger any form of alert or response while the system was infected, nor while files were being intentionally encrypted, does not bode well for the application.
After the initial installation phase on another Mac, I was installing an application, and lo and behold, it did trigger a warning. Correctly identifying the application being installed, the process and the files that were being encrypted. The prompt stayed up for more than five minutes until I clicked Allow to proceed with the process and complete the install. This tells me that there is a lot of potential in RansomWhere? and that perhaps the application should be tweaked to be less user friendly and more adept at halting processes it deems to be a potential threat. After all, isn't that what we demand of other applications and devices charged with providing security (Figure J)?
In theory, the logic is sound. It's similar to a firewall prompting authorization to establish an incoming or outgoing connection before it can be made. Yet unlike a firewall—which, by default, trusts nothing until explicitly allowed manually or by using pre-configured rules—RansomWhere? trusts all existing apps and processes upon installation. This does not bode well for apps that may contain malicious code that triggers an encryption of data after being dormant—a common function of many malware infections. It also does not protect against any application that may have existed prior to installation that could be compromised via a vulnerability down the road.
- Ransomware-as-a-service schemes are now targeting Macs too (ZDNet)
- 7 ways to protect your Apple computers from ransomware (TechRepublic)
- Video: Ransomware-as-a-service is causing mayhem (TechRepublic)
- Ransomware: The most important thing you can do not to be a victim (TechRepublic)
- How to avoid ransomware attacks: 10 tips (TechRepublic)
- The ransomware debate: Should you pay to get your data back? (TechRepublic)
- After WannaCry, ransomware will get worse before it gets better (ZDNet)
- Computer Hacking Forensic Investigation & Penetration Testing Course Bundle (TechRepublic Academy)
Have you used RansomWhere? at your organization? If so, what was your experience with the product? We'd like to hear from you below in the comments section.
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.