SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New ‘Turtle’ macOS Ransomware Analyzed

New Turtle macOS ransomware is not sophisticated but shows that cybercriminals continue to target Apple devices.

Patrick Wardle, the famed cybersecurity researcher specializing in Apple products, has conducted an analysis of a new macOS ransomware named Turtle.

Wardle’s analysis suggests that the Turtle ransomware is currently not sophisticated, but the malware’s existence indicates that cybercriminals continue to show an interest in targeting macOS users.

Versions of the Turtle ransomware appear to have been created for Windows and Linux systems as well.

Several of the vendors on VirusTotal already detect Turtle as a potential threat, which is unusual for a new piece of malware targeting macOS, but may be explained by similarities to the Windows version, for which crowdsourced YARA rules exist. 

The malware was developed in Go and, based on strings found in the binary, ‘Turtle’ appears to be the name given by its author.

The ransomware is designed to encrypt files on compromised systems. However, at this stage, it does not appear to pose a major threat to macOS users. 

Advertisement. Scroll to continue reading.

Firstly, the malicious file is signed with an ad-hoc signature and is not notarized by Apple, which means it will get blocked by Gatekeeper, unless it’s deployed through an exploit or specifically allowed to run by the victim.

In addition, while the ransomware is capable of encrypting files, the encryption key can be recovered and decrypting files is not difficult. 

As for its origins, Wardle has not attributed the Turtle ransomware to a specific threat actor, but did note finding various strings written in Chinese, including one that translates to “encrypt files”.

“Of course it goes without saying, having your files ransomed sucks! But good news, in this case the average macOS user is unlikely to be impacted by this macOS sample,” Wardle said. “Still the fact that ransomware authors have set their sights on macOS, should give us pause for concern and also catalyze conversions about detecting and preventing this (and future) samples in the first place!”

Related: Stealthy Mac Malware Delivered via Pirated Apps

Related: ‘Atomic macOS Stealer’ Malware Delivered via Malvertising Campaign

Related: North Korean Hackers Use New ‘KandyKorn’ macOS Malware in Attacks

Related: macOS Info-Stealer Malware ‘MetaStealer’ Targeting Businesses

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: How Modern Breaches Bypass MFA and Evade Detection
June 17, 2026

Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes.

Register

Webinar: Modern Exposure Validation in the AI Era
June 24, 2026

AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program.

Register

People on the Move

SolarWinds has appointed Justin Henkel as Chief Information Security Officer.

J. Paul Haynes has joined Cinchy as Chief Executive Officer.

Hatem Naguib has become Chief Executive Officer at Sysdig.

More People On The Move

Expert Insights

No Exploits Required

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Popular Topics

Security Community

Stay Intouch

About SecurityWeek

News Tips

Got a confidential news tip? We want to hear from you.

Submit Tip

Advertising

Reach a large audience of enterprise cybersecurity professionals

Contact Us

Daily Briefing Newsletter

Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.