Connect with us

Hi, what are you looking for?


Malware & Threats

MacRansom RaaS Potentially Created by Copycats

A newly discovered ransomware family targeting Mac users is using the Ransomware-as-a-service (RaaS) distribution model and uses code copied from previous MacOS ransomware, Fortinet researchers warn.

A newly discovered ransomware family targeting Mac users is using the Ransomware-as-a-service (RaaS) distribution model and uses code copied from previous MacOS ransomware, Fortinet researchers warn.

Dubbed MacRansom, the threat uses a web portal hosted on TOR, but samples aren’t readily available through the portal, and interested parties must contact the author directly to obtain them. Wannabe criminals can specify a ransom amount, a date to trigger the ransomware, and whether the malware should execute when someone plugs in a USB drive.

Because the ransomware’s author, who appears to be located in the GMT – 4 time zone, didn’t use a security certificate, users are warned that the program they are about to run comes from an unidentified developer, Fortinet says. 

Once executed, the malware checks its environment and if it is being debugged, and terminates if it detects a non-Mac platform or a debugger. The ransomware also checks if the machine it runs on has two CPUs. 

After these initial checks, the malware creates a launch point in ~/LaunchAgent/, which ensures it runs at every startup (by imitating a legitimate file in MacOS, the malware attempts to lessen suspicion of nefarious activities). The original executable is copied to ~/Library/.FS_Store and its timestamp changed, to confuse investigators. 

The encryption has a trigger time, which is set by the author, and which ensures that the ransomware would terminate if the current date is before the trigger date. Otherwise, the malware starts enumerating the targeted files and then proceeds to encrypt a maximum of 128 files, the security researchers say. 

The ransomware appears less sophisticated compared to similar threats targeting MacOS, as it uses a symmetric encryption with a hardcoded key. The researchers discovered two sets of symmetric keys it employs, namely ReadmeKey and TargetFileKey.

Advertisement. Scroll to continue reading.

According to Fortinet, because the TargetFileKey is permuted with a random generated number, the encrypted files can’t be decrypted once the malware terminates its process, when TargetFileKey is freed from program’s memory. 

What’s more, because the ransomware doesn’t include a function to communicate with the command and control server, the TargetFileKey isn’t sent to the author, meaning that no copy of the key, otherwise required to decrypt the files, is readily available. 

The key can, however, be recovered using a brute-force attack: “It should not take very long for a modern CPU to brute-force an 8-byte long key when the same key is used to encrypt known files with predictable file’s contents.” The security researchers suggest that the ransomware author might not be able to decrypt the targeted files. 

“After successfully encrypting the targeted files, it encrypts both and the original executable. It changes the Time Date Stamp and then deletes them. This is done by the author so that even if recovery tools are used to get the ransomware artifacts, the files will be next to meaningless,” the researchers say

Victims are asked to pay a 0.25 Bitcoin ransom to recover their encrypted files and to contact the ransomware author at getwindows(at) for decryption instructions. 

Fortinet also notes that, because it uses code and ideas similar to other ransomware, “this MacRansom variant is potentially being brewed by copycats.” Even the use of anti-analysis tricks – not employed by previous MacOS ransomware – is a well-known technique “widely deployed by many malware authors,” the researchers say. 

Related: Decryption Tool Released for FindZip macOS Ransomware

Related: New “Filecoder” macOS Ransomware Surfaces

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.