14 DAY TRIAL // Despite not being a big problem for Mac users yet, Patrick Wardle, lead researcher at Synack, has created a nifty little app that can identify ransomware-like behavior by detecting the quick creation of encrypted files, stop the suspicious process, and then alert the user.
Called RansomWhere, this tool is very similar to what Sean Williams created almost a month ago with his CryptoStalker project, a generic ransomware detection system for Linux.
RansomWhere can stop apps that generate a lot of encrypted content
Just like CryptoWalker, RansomWhere works by watching the user's local filesystem for the creation of a large number of encrypted files. Mr. Wardle's app goes a step further by temporarily suspending the process that generates the massive amount of encrypted content, and prompting the user to verify and approve its actions.
RansomWhere may cause some false positives, but it's always better to be safe than sorry.
By default, RansomWhere scans unsigned Mac apps and binaries signed with an Apple developer ID. The only binaries RansomWhere ignores are those signed by official Apple certificates.
The downside is that if ransomware injects and hijacks the process of an Apple-signed binary, the tool won't be able to pick it up. Another downside is that RansomWhere takes a bit to detect ransomware infections, by which time some files might be already encrypted.
Ransomware for Macs not yet a (big) problem
At the start of March, KeRanger, the first fully functional Mac-targeting ransomware appeared on the scene after it infected users via tainted versions of the Transmission BitTorrent client for Mac.
Before this, a Brazilian coder also created a proof-of-concept ransomware variant called Mabouia, which was never released and eventually handed over to Apple's security staff.
Ransomware is not yet a danger to the Mac ecosystem, and more Linux users suffered from ransomware compared to Mac users. This statistics leans towards Linux users because of many ransomware variants that target Linux servers, such as Linux.Encoder, CTB-Locker, and KimcilWare.
For users who like their privacy, just be aware that RansomWhere will ask for your Mac password in order to continually monitor your workstation's processes.
