A guy who hacks Macs in his free time thinks he's found a way to stop ransomware in its tracks

Sophos Naked Security

If you don't believe by now that ransomware is becoming a big problem, just ask Texas Congressman Michael C. Burgess who, at a congressional hearing on Tuesday, said that ransom-seeking hackers ought to be "shot at sunrise."

Burgess has good reason to be frustrated. Ransomware is a type of computer virus that encrypts its victim's files and demands payment, usually a few hundred dollars in Bitcoin, for the key to restore them.

Ransomware with properly-implemented encryption is effectively irreversible without those keys, forcing high-profile victims, including government agencies, to pay up in order to restore their systems.

Macs had been largely ignored by ransomware authors until last month, when a large-scale Mac ransomware attack called KeRanger struck. The virus was inserted into a compromised version of Transmission, a file-sharing app available for Macs, and maliciously uploaded onto the software's official website so that unsuspecting users would download and run it on their machines.

Patrick Wardle, the director of research at Synack who also publishes Mac software tools to his website, Objective See, realized that Macs still had no good way of avoiding this kind of attack.

"From a user's point of view, it really sucks," Wardle said in an interview with Business Insider on Wednesday. "Even if they're [following] best security practices — they haven't turned off Gatekeeper [Apple's anti-virus software], they're not downloading shady apps from random sites — they still would have gotten infected."

Wardle said that he could see this type of infection happening to him and wanted to do something about it. While Apple soon updated its built-in virus protection and Transmission removed the infected downloads from its site, Wardle was confident that the problem wasn't going anywhere.

"There's so much money to be made for hackers," he said. "This is just going to be an ongoing process for the foreseeable future, even for Mac users."

So Wardle got to work on a tool to detect — and stop — ransomware generically, meaning that it wouldn't have to rely on a list of previously-known viruses which can quickly become outdated. The goal is to detect ransomware by looking for suspicious encryption activity instead. After about a month of working on the project in his spare time, he released RansomWhere? 1.0.0 on Wednesday.

Sophos Naked SecurityRansomWhere? runs in the background, watching for the creation of new files by any new or untrusted applications. It then assesses whether the file was encrypted (in a process outlined in Wardle's explanatory blog post) and whether the process that made it also looks to be encrypting other files. If all these boxes are checked, it pauses the suspicious process and alerts the user, letting them decide whether to allow it to continue or stop it in its tracks.

While Business Insider was not able to test RansomWhere? against a real virus (all of our Macs have the latest security updates, so we wouldn't be able to run a virus at all), Wardle claims that, in his testing, the app successfully blocked both of the existing ransomware viruses that he had access to.

Wardle is quick to point out that the ideas behind RansomWhere? might not be entirely novel. Indeed, the idea of detecting malware by its behavior rather than by its appearance (comparing a file to known virus signatures) is not brand new — some antivirus companies have already implemented versions of this "heuristic analysis" into their efforts to fight ransomware. 

'I would love to find some new ransomware'

Apple's built-in defenses are often not so sophisticated, as Wardle has noted in the past. While Apple quickly revoked the signature of the infected version of Transmission, preventing most users from infecting themselves with KeRanger, an estimated 6,500 users may have downloaded the compromised app.

Wardle suggests using RansomWhere? alongside signature-based systems for the fullest protection and he dedicates a large portion of his blog post to detailing limitations and downsides to his software — like the fact that, by design, a few files will be encrypted before RansomWhere? can decide that a process is malicious.

Ransomware authors that study Wardle's app could even custom-tailor their viruses to slip between the cracks that he openly discloses.

Needless to say, Wardle stressed that he didn't want to "over-sell" the tool as a panacea. In his blog post, he writes that his goal was "simply to raise awareness about alternate means to help stymie the ransomware epidemic." 

For the time being, if a Mac user is unlucky enough to be struck by ransomware — but had the foresight to install RansomWhere? — Wardle recommends they upload the suspicious file to VirusTotal, a free online tool that aims to identify viruses. Better yet, send them his way.

"I would love to find some new [Mac OS X] ransomware," Wardle said. "I say that as a Mac security researcher, not someone who's wishing harm on Mac users."