Menu
This tool can block ransomware on Mac OS X, for now

This tool can block ransomware on Mac OS X, for now

The RansomWhere? tool detects when ransomware programs start encrypting files and then blocks them

A security researcher has created a free security tool that can detect attempts by ransomware programs to encrypt files on users' Macs and then block them before they do a lot of damage.

Called RansomWhere? the application is the creation of Patrick Wardle, director of research and development at security firm Synack. It's meant to detect and block the encryption of files by untrusted processes.

The tool monitors users' home directories and detects when encrypted files are rapidly created inside them -- a telltale sign of ransomware activity.

When such activity is detected, RansomWhere? determines the process responsible and suspends it. To limit false positives -- legitimate encryption programs being detected as ransomware -- the tool whitelists all applications signed by Apple and most of those that already exist on the computer when RansomWhere? is first installed.

This means that in order to work as expected, the tool needs to be installed on computers that haven't already been infected with ransomware. The tool also won't work if any ransomware programs that later infect the computer hijack or inject code into Apple-signed applications and use them to encrypt files.

ransomwhere alert prompt Patrick Wardle

RansomWhere? alert prompt.

When RansomWhere? suspends an encryption process, it prompts the user to allow the operation to continue or to terminate it. This provides users with an opportunity to whitelist legitimate encryption programs they know and trust.

While good at blocking opportunistic ransomware attacks in general, RansomWhere? does not provide perfect protection, nor does it claim to have a 100 percent detection rate.

First of all, RansomWhere?'s blocking mechanism will only kick in after a ransomware program has encrypted a few files. Their number should be in the single digits, though.

"RansomWhere? was designed to generically stop OS X ransomware," Wardle said in a blog post. "However several design choices were consciously made -- to facilitate reliability, simplicity, and speed -- that may impact its protection capabilities. First, it is important to understand that the protections afforded by any security tool, if specifically targeted, can be bypassed. That is to say, if a new piece of OS X ransomware was designed to specifically bypass RansomWhere? it would likely succeed."

Until recently, ransomware creators have almost exclusively targeted Windows computers, but that has started to change. There are already ransomware variants that infect Linux-based Web servers, and researchers have created proof-of-concept ransomware programs for OS X to show the platform can be affected.

In February, malware researchers spotted a new ransomware program being sold on cybercriminal forums that had versions for both Windows and Mac. Then in March, Mac users were hit by KeRanger, the first ever OS X ransomware found in the wild.

As the competition among ransomware creators intensifies, many of them will likely to branch out to other platforms in search of new victims. Mac users are certainly an attractive target.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments