A newly discovered ransomware family targeting Mac users is using the Ransomware-as-a-service (RaaS) distribution model and uses code copied from previous MacOS ransomware, Fortinet researchers warn.
Dubbed MacRansom, the threat uses a web portal hosted on TOR, but samples aren’t readily available through the portal, and interested parties must contact the author directly to obtain them. Wannabe criminals can specify a ransom amount, a date to trigger the ransomware, and whether the malware should execute when someone plugs in a USB drive.
Because the ransomware’s author, who appears to be located in the GMT – 4 time zone, didn’t use a security certificate, users are warned that the program they are about to run comes from an unidentified developer, Fortinet says.
Once executed, the malware checks its environment and if it is being debugged, and terminates if it detects a non-Mac platform or a debugger. The ransomware also checks if the machine it runs on has two CPUs.
After these initial checks, the malware creates a launch point in ~/LaunchAgent/com.apple.finder.plist, which ensures it runs at every startup (by imitating a legitimate file in MacOS, the malware attempts to lessen suspicion of nefarious activities). The original executable is copied to ~/Library/.FS_Store and its timestamp changed, to confuse investigators.
The encryption has a trigger time, which is set by the author, and which ensures that the ransomware would terminate if the current date is before the trigger date. Otherwise, the malware starts enumerating the targeted files and then proceeds to encrypt a maximum of 128 files, the security researchers say.
The ransomware appears less sophisticated compared to similar threats targeting MacOS, as it uses a symmetric encryption with a hardcoded key. The researchers discovered two sets of symmetric keys it employs, namely ReadmeKey and TargetFileKey.
According to Fortinet, because the TargetFileKey is permuted with a random generated number, the encrypted files can’t be decrypted once the malware terminates its process, when TargetFileKey is freed from program’s memory.
What’s more, because the ransomware doesn’t include a function to communicate with the command and control server, the TargetFileKey isn’t sent to the author, meaning that no copy of the key, otherwise required to decrypt the files, is readily available.
The key can, however, be recovered using a brute-force attack: “It should not take very long for a modern CPU to brute-force an 8-byte long key when the same key is used to encrypt known files with predictable file’s contents.” The security researchers suggest that the ransomware author might not be able to decrypt the targeted files.
“After successfully encrypting the targeted files, it encrypts both com.apple.finder.plist and the original executable. It changes the Time Date Stamp and then deletes them. This is done by the author so that even if recovery tools are used to get the ransomware artifacts, the files will be next to meaningless,” the researchers say.
Victims are asked to pay a 0.25 Bitcoin ransom to recover their encrypted files and to contact the ransomware author at getwindows(at)protonmail.com for decryption instructions.
Fortinet also notes that, because it uses code and ideas similar to other ransomware, “this MacRansom variant is potentially being brewed by copycats.” Even the use of anti-analysis tricks – not employed by previous MacOS ransomware – is a well-known technique “widely deployed by many malware authors,” the researchers say.
Related: Decryption Tool Released for FindZip macOS Ransomware
