By Luke Robbins
A common misconception amongst Apple users is that unlike Windows users, they are not vulnerable to malware attacks. But while it’s true that they are not targeted as often, this is more a function of the Mac OS market share than its security: over 90% of personal computers run Windows, while only about 6% run Mac OS. This makes the Mac market much less attractive to the people creating malware.
But that doesn’t mean there aren’t people going after these users, and you should never assume that your system is immune to attack. Thanks to the new ransomware-as-a-service, MacRansom, some Apple users are learning this the hard way.
The Origin of MacRansom
The story of this threat originated from a recent blog post by security researchers Rommel Joven and Wayne Chin Yick Low, who were able to obtain a copy of the malware – possibly the first case of RaaS targeting Mac – and study it for themselves.
The people behind MacRansom claim to be former security researchers at Yahoo and Facebook, claiming that their software engineering experience means that this RaaS will be high quality.
The creators claim that the reason they created this tool in the first place was that there was a lack of other attacks against the Mac platform. They also claim that the victims are more lucrative targets: “Mac users are willing to pay at least $1,000 for their computer files. As much as $26,500 was once collected from a small business owner.”
How it Works
The first thing MacRansom does is check to make sure that it is on a Mac environment and that it’s not being debugged (which would reveal the program’s intentions). If these conditions are not met, then the program terminates without doing anything.
Once these conditions are met, MacRansom creates a launch point, which allows the program to run at every start up and ensures that it will begin the encryption process at a specified “trigger time”.
As soon as this ticking time bomb reaches the trigger time, MacRansom will begin to lock down the host machine’s files, up to a maximum of 128. This is far fewer than most ransomware variants, though Joven and Low did not speculate as to why. They did say that MacRansom is “far inferior from most current ransomware targeting Windows,” so perhaps this was one of its shortcomings.
Once the host files are encrypted, MacRansom then presents a demand for 0.25 Bitcoin, which is currently valued at about $700.
One interesting and unpleasant detail about this ransomware variant is the fact that its TargetFileKey – which is used to encrypt and decrypt files – is randomly generated, and then lost when the malware terminates. There is no copy made, no record that is stored.
It is still technically possible at this point to decrypt the files with more difficult methods, but this strange feature makes Joven and Low skeptical that the malware author could decrypt the files after receiving payment. If your computer is infected, Go to the full article.
Source:: Business 2 Community