Patrick Wardle, the famed cybersecurity researcher specializing in Apple products, has conducted an analysis of a new macOS ransomware named Turtle.
Wardle’s analysis suggests that the Turtle ransomware is currently not sophisticated, but the malware’s existence indicates that cybercriminals continue to show an interest in targeting macOS users.
Versions of the Turtle ransomware appear to have been created for Windows and Linux systems as well.
Several of the vendors on VirusTotal already detect Turtle as a potential threat, which is unusual for a new piece of malware targeting macOS, but may be explained by similarities to the Windows version, for which crowdsourced YARA rules exist.
The malware was developed in Go and, based on strings found in the binary, ‘Turtle’ appears to be the name given by its author.
The ransomware is designed to encrypt files on compromised systems. However, at this stage, it does not appear to pose a major threat to macOS users.
Firstly, the malicious file is signed with an ad-hoc signature and is not notarized by Apple, which means it will get blocked by Gatekeeper, unless it’s deployed through an exploit or specifically allowed to run by the victim.
In addition, while the ransomware is capable of encrypting files, the encryption key can be recovered and decrypting files is not difficult.
As for its origins, Wardle has not attributed the Turtle ransomware to a specific threat actor, but did note finding various strings written in Chinese, including one that translates to “encrypt files”.
“Of course it goes without saying, having your files ransomed sucks! But good news, in this case the average macOS user is unlikely to be impacted by this macOS sample,” Wardle said. “Still the fact that ransomware authors have set their sights on macOS, should give us pause for concern and also catalyze conversions about detecting and preventing this (and future) samples in the first place!”