Connect with us

Hi, what are you looking for?


Malware & Threats

New ‘Turtle’ macOS Ransomware Analyzed

New Turtle macOS ransomware is not sophisticated but shows that cybercriminals continue to target Apple devices.

Patrick Wardle, the famed cybersecurity researcher specializing in Apple products, has conducted an analysis of a new macOS ransomware named Turtle.

Wardle’s analysis suggests that the Turtle ransomware is currently not sophisticated, but the malware’s existence indicates that cybercriminals continue to show an interest in targeting macOS users.

Versions of the Turtle ransomware appear to have been created for Windows and Linux systems as well.

Several of the vendors on VirusTotal already detect Turtle as a potential threat, which is unusual for a new piece of malware targeting macOS, but may be explained by similarities to the Windows version, for which crowdsourced YARA rules exist. 

The malware was developed in Go and, based on strings found in the binary, ‘Turtle’ appears to be the name given by its author.

The ransomware is designed to encrypt files on compromised systems. However, at this stage, it does not appear to pose a major threat to macOS users. 

Firstly, the malicious file is signed with an ad-hoc signature and is not notarized by Apple, which means it will get blocked by Gatekeeper, unless it’s deployed through an exploit or specifically allowed to run by the victim.

In addition, while the ransomware is capable of encrypting files, the encryption key can be recovered and decrypting files is not difficult. 

Advertisement. Scroll to continue reading.

As for its origins, Wardle has not attributed the Turtle ransomware to a specific threat actor, but did note finding various strings written in Chinese, including one that translates to “encrypt files”.

“Of course it goes without saying, having your files ransomed sucks! But good news, in this case the average macOS user is unlikely to be impacted by this macOS sample,” Wardle said. “Still the fact that ransomware authors have set their sights on macOS, should give us pause for concern and also catalyze conversions about detecting and preventing this (and future) samples in the first place!”

Related: Stealthy Mac Malware Delivered via Pirated Apps

Related: ‘Atomic macOS Stealer’ Malware Delivered via Malvertising Campaign

Related: North Korean Hackers Use New ‘KandyKorn’ macOS Malware in Attacks

Related: macOS Info-Stealer Malware ‘MetaStealer’ Targeting Businesses

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.