Connect with us

Hi, what are you looking for?


Endpoint Security

New Tool Aims to Generically Detect Mac OS X Ransomware

Security researcher Patrick Wardle has been looking at ways to generically detect ransomware attacks on Mac OS X systems and he has developed a tool that appears to be capable of accomplishing the task.

Security researcher Patrick Wardle has been looking at ways to generically detect ransomware attacks on Mac OS X systems and he has developed a tool that appears to be capable of accomplishing the task.

Wardle, director of research at Synack, is well-known in the industry for bypassing Apple’s Gatekeeper security feature. The expert has developed several OS X security tools in the past and on Wednesday he announced the release of a new one.

The tool, named “RansomWhere?”, is designed to detect and block any type of file-encrypting ransomware on OS X by continually monitoring the file system for the creation of encrypted files by suspicious processes.

There have been several reports over the past years about ransomware targeting Mac OS X users. Early threats were designed to simply lock users’ browsers and could be easily removed, but newer ransomware, such as KeRanger, pose a more serious threat.

KeRanger, which is considered the first fully functional ransomware targeting OS X, attempts to encrypt 300 different file types on infected systems. The malware bypassed Gatekeeper because it was delivered via a compromised installer that was signed with a valid app development certificate issued by Apple.

After analyzing various pieces of ransomware, Wardle came up with the idea that such threats can be generically identified by monitoring file I/O events and detecting the rapid creation of encrypted files by untrusted processes. For this, he needed to find ways to monitor file I/O events, determine if a file is encrypted, and identify untrusted processes.

There are several tools and methods that can be used to monitor file I/O events on OS X, including dtrace, fs_usage, OpenBSM, and fsevents. The expert chose the direct use of fsevents, which he also leveraged in another one of his tools called BlockBlock.

In order to determine if a file is encrypted, Wardle used available documentation on differentiating encryption from compression based on mathematical calculations.

Advertisement. Scroll to continue reading.

The problem is that even legitimate applications can create encrypted files (e.g. password managers). In order to avoid the classification of such apps as ransomware, the tool developed by Wardle considers all processes signed by Apple and ones already installed on the system when the tool is first run inherently trusted.

RansomWhere? is installed as a launch daemon with the “RunAtLoad” key set to “true” so that it’s automatically executed when the system boots. It then enumerates all installed applications to create a baseline, classifies running processes, and starts monitoring file I/O events. When an untrusted process is found rapidly creating encrypted files, the process in question is suspended and the user is alerted. RansomWhere? users can allow the process to continue or terminate it.


Wardle successfully tested the tool against Gopher, a proof-of-concept ransomware created last year by OS X security expert Pedro Vilaca, and KeRanger. The researcher pointed out that while the tool can generically detect and block OS X ransomware, version 1.0.0 does have several limitations and a piece of ransomware specifically designed to bypass it would likely succeed.

The limitations include the fact that RansomWhere? does allow some files to get encrypted before blocking the ransomware, it currently only monitors the user’s home folders, and it ignores potential threats that abuse a signed Apple binary. Despite the limitations, Wardle believes this approach could be highly efficient for detecting OS X ransomware.

The researcher told SecurityWeek that the same principle could also work on Windows and Linux operating systems. When he came up with the idea for RansomWhere?, Wardle found discussions about CryptoMonitor, an apparently similar Windows anti-ransomware tool that Malwarebytes has started integrating in its products.

RansomWhere? is currently closed-source, but Wardle says he might release it as open source in the future. In the meantime, he published a blog post containing numerous code snippets and a detailed technical description of how the tool works.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

Data Protection

By implementing strong security practices,, organizations can significantly reduce the risks associated with lost and stolen computers and safeguard their sensitive information.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.

Cloud Security

Intel announced on Tuesday that it has added Intel Trust Domain Extensions (TDX) to its confidential computing portfolio with the launch of its new...