Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Endpoint Security

New Tool Aims to Generically Detect Mac OS X Ransomware

Security researcher Patrick Wardle has been looking at ways to generically detect ransomware attacks on Mac OS X systems and he has developed a tool that appears to be capable of accomplishing the task.

Security researcher Patrick Wardle has been looking at ways to generically detect ransomware attacks on Mac OS X systems and he has developed a tool that appears to be capable of accomplishing the task.

Wardle, director of research at Synack, is well-known in the industry for bypassing Apple’s Gatekeeper security feature. The expert has developed several OS X security tools in the past and on Wednesday he announced the release of a new one.

The tool, named “RansomWhere?”, is designed to detect and block any type of file-encrypting ransomware on OS X by continually monitoring the file system for the creation of encrypted files by suspicious processes.

There have been several reports over the past years about ransomware targeting Mac OS X users. Early threats were designed to simply lock users’ browsers and could be easily removed, but newer ransomware, such as KeRanger, pose a more serious threat.

KeRanger, which is considered the first fully functional ransomware targeting OS X, attempts to encrypt 300 different file types on infected systems. The malware bypassed Gatekeeper because it was delivered via a compromised installer that was signed with a valid app development certificate issued by Apple.

After analyzing various pieces of ransomware, Wardle came up with the idea that such threats can be generically identified by monitoring file I/O events and detecting the rapid creation of encrypted files by untrusted processes. For this, he needed to find ways to monitor file I/O events, determine if a file is encrypted, and identify untrusted processes.

There are several tools and methods that can be used to monitor file I/O events on OS X, including dtrace, fs_usage, OpenBSM, and fsevents. The expert chose the direct use of fsevents, which he also leveraged in another one of his tools called BlockBlock.

Advertisement. Scroll to continue reading.

In order to determine if a file is encrypted, Wardle used available documentation on differentiating encryption from compression based on mathematical calculations.

The problem is that even legitimate applications can create encrypted files (e.g. password managers). In order to avoid the classification of such apps as ransomware, the tool developed by Wardle considers all processes signed by Apple and ones already installed on the system when the tool is first run inherently trusted.

RansomWhere? is installed as a launch daemon with the “RunAtLoad” key set to “true” so that it’s automatically executed when the system boots. It then enumerates all installed applications to create a baseline, classifies running processes, and starts monitoring file I/O events. When an untrusted process is found rapidly creating encrypted files, the process in question is suspended and the user is alerted. RansomWhere? users can allow the process to continue or terminate it.


Wardle successfully tested the tool against Gopher, a proof-of-concept ransomware created last year by OS X security expert Pedro Vilaca, and KeRanger. The researcher pointed out that while the tool can generically detect and block OS X ransomware, version 1.0.0 does have several limitations and a piece of ransomware specifically designed to bypass it would likely succeed.

The limitations include the fact that RansomWhere? does allow some files to get encrypted before blocking the ransomware, it currently only monitors the user’s home folders, and it ignores potential threats that abuse a signed Apple binary. Despite the limitations, Wardle believes this approach could be highly efficient for detecting OS X ransomware.

The researcher told SecurityWeek that the same principle could also work on Windows and Linux operating systems. When he came up with the idea for RansomWhere?, Wardle found discussions about CryptoMonitor, an apparently similar Windows anti-ransomware tool that Malwarebytes has started integrating in its products.

RansomWhere? is currently closed-source, but Wardle says he might release it as open source in the future. In the meantime, he published a blog post containing numerous code snippets and a detailed technical description of how the tool works.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

The Zero Day Dilemma

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...