This tool can block ransomware on Mac OS X, for now

The RansomWhere? tool detects when ransomware programs start encrypting files and then blocks them

A security researcher has created a free security tool that can detect attempts by ransomware programs to encrypt files on users' Macs and then block them before they do a lot of damage.

Called RansomWhere? the application is the creation of Patrick Wardle, director of research and development at security firm Synack. It's meant to detect and block the encryption of files by untrusted processes.

The tool monitors users' home directories and detects when encrypted files are rapidly created inside them -- a telltale sign of ransomware activity.

When such activity is detected, RansomWhere? determines the process responsible and suspends it. To limit false positives -- legitimate encryption programs being detected as ransomware -- the tool whitelists all applications signed by Apple and most of those that already exist on the computer when RansomWhere? is first installed.

This means that in order to work as expected, the tool needs to be installed on computers that haven't already been infected with ransomware. The tool also won't work if any ransomware programs that later infect the computer hijack or inject code into Apple-signed applications and use them to encrypt files.

ransomwhere alert prompt Patrick Wardle

RansomWhere? alert prompt.

When RansomWhere? suspends an encryption process, it prompts the user to allow the operation to continue or to terminate it. This provides users with an opportunity to whitelist legitimate encryption programs they know and trust.

While good at blocking opportunistic ransomware attacks in general, RansomWhere? does not provide perfect protection, nor does it claim to have a 100 percent detection rate.

First of all, RansomWhere?'s blocking mechanism will only kick in after a ransomware program has encrypted a few files. Their number should be in the single digits, though.

"RansomWhere? was designed to generically stop OS X ransomware," Wardle said in a blog post. "However several design choices were consciously made -- to facilitate reliability, simplicity, and speed -- that may impact its protection capabilities. First, it is important to understand that the protections afforded by any security tool, if specifically targeted, can be bypassed. That is to say, if a new piece of OS X ransomware was designed to specifically bypass RansomWhere? it would likely succeed."

Until recently, ransomware creators have almost exclusively targeted Windows computers, but that has started to change. There are already ransomware variants that infect Linux-based Web servers, and researchers have created proof-of-concept ransomware programs for OS X to show the platform can be affected.

In February, malware researchers spotted a new ransomware program being sold on cybercriminal forums that had versions for both Windows and Mac. Then in March, Mac users were hit by KeRanger, the first ever OS X ransomware found in the wild.

As the competition among ransomware creators intensifies, many of them will likely to branch out to other platforms in search of new victims. Mac users are certainly an attractive target.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleLinuxMacs

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts