Early this month, researchers started publishing warnings about a new, free, macOS-based ‘Ransomware as a Service’ (RaaS) which has recently emerged. The Mac specific ransomware has been dubbed ‘MacRansom’.
The tool uses a web portal hosted in a TOR network, which is becoming a more popular method of attack.
Note: A TOR Network is an anonymous network that bounces the signal between volunteer computers, to disguise the source.
However, MacRansom is not accessible through this portal. Cyber-criminals have to email the authors directly to get the ransomware built for them. Fortinet’s Fortiguard Labs research team were able to contact the authors and get a response back. The Authors claim to be engineers at Yahoo and Facebook, and explain that there is a growing need to provide malware for the MacOS.
Below is an extract from the email sent to Fortinet researchers:
“We believed people were in need of such programs on macOS, so we made these tools available for free. Unlike most hackers on the darknet, we are professional developers with extensive experience in software development and vast interest in surveillance,” the email reads, “You can depend on our software as billions of users world-wide rely on our clearnet products.”
The researchers had a lengthy email conversation with the authors, working out details such as the Bitcoin amount a victim would have to pay, the Bitcoin address, when the ransomware could be triggered, and if it could be executed via USB. The end result was that they were sent a zip file containing the ransomware, which they were then able to analyse.
The first thing to occur was a prompt that popped up stating that the program was from an unidentified developer. Clicking open allowed the ransomware to run. The researchers concluded that provided users don’t open the file, or any file from an “unknown developer”, they should be safe.
In the event the file was triggered, the ransomware will check two things: “Is the file being run in a non-Mac environment?” and “Is the file being debugged?” If either condition is not met, it will terminate. If the ransomware continues loading, it next creates a launch point using a file name that simulates a legitimate file. The ransomware will run on every start up and encrypts on a specified trigger time. At the specified time, the ransomware starts to encrypt files on the computer. Up to 128 files will be locked.
The ransomware is not particularly sophisticated, using symmetric encryption with hardcoded keys.
The two keys found by researchers are:
- ReadmeKey: 0x3127DE5F0F9BA796 (contains the ransom notes and instructions)
- TargetFileKey: 0x39A622DDB50B49E9 (used to encrypt and decrypt the victim’s files)
The Readme file demands a quarter (.25 BTC) Bitcoin, approx. $700, from victims and instructs them to contact firstname.lastname@example.org and send some of their encrypted files which will be decrypted as proof. However, researchers are sceptical that it’s even possible to decrypt the files.
Once the TargetFileKey encryption/decryption algorithm was reverse engineered, researchers at FortiGuard noticed that the key is altered using a random number generator. This means that, once the malware has been terminated, the encrypted files can no longer be decrypted. Because it is freed from the program’s memory, it is difficult to create a decryptor or recovery tool to restore the encrypted files. Another concern is that it has no function to communicate with any Command & Control (C&C) server for the TargetFileKey, which means there is not an easily accessible copy of the key to decrypt the files.
After encryping the targeted files, MacRansom encrypts com.apple.finder.plist and the original executable file. It then changes the time/date stamp and deletes them. Even if recovery tools are used to obtain the ransomware artefacts, the files will be of no use to them. Essentially once encrypted, the files are pretty much gone for good.
Ransomware on Mac computers is still not that common, and attacks that are discovered are significantly less advanced than those targeting Windows machines. However, with more and more users moving to Macs, attacks like MacRansom are still capable of encrypting files and causing havoc.
With Mac use on the rise, the number of malware attacks targeting the Mac operating system is also increasing. Mac users can no longer be complacent and think that they are safe from attack. They need to be vigilant about what emails and attachments they open.