Fortinet malware experts have detected the very first Mac ransomware, offered as a Ransomware-as-a-Service (RaaS). Dubbed MacRansom, the threat is the first RaaS that targets Mas OSs and is available through a hidden service in the Tor network.
“Just recently, we here at FortiGuard Labs discovered a Ransomware-as-a-service (RaaS) that uses a web portal hosted in a TOR network which has become a trend nowadays. However, in this case it was rather interesting to see cybercriminals attack an operating system other than Windows. And this could be the first time to see RaaS that targets Mac OS.” – states the analysis published by Fortinet.
Even though MacRansom is not as advanced as other RaaSs, it can cause victims` serious problems by encrypting their files. The RaaS is available for anybody and this allows the arrangement of ransomware campaigns to non-professional cyber criminals. In order to receive their version of the malware, wannabe crooks have to get in touch with the MacRansom`s author.
“This MacRansom variant is not readily available through the portal. It is necessary to contact the author directly to build the ransomware. At first, we thought of it as a scam since there was no sample but to verify this we dropped the author an email and unexpectedly received a response.” – continues the analysis.
The ransomware uses a symmetric encryption with hard-coded key. Researchers found two sets of symmetric keys: ReadmeKey: 0x3127DE5F0F9BA796 and TargetFileKey: 0x39A622DDB50B49E9. The first one is used to decrypt the ._README_ file which contains the payment instructions, while the second one is used to encrypt and decrypts victims` data.
At this point, MacRansom only locks a maximum of 128 files and then demands 0.25 Bitcoins ($700) for the decryptor. Also, the code uses anti-analysis activity, meaning that what it does first is checking if the malware sample is running in a debugged environment or in a non-Mac environment.
Wannabe crooks get 30% cut from the payment of each infected victims. All they have to do is distribute the malware by spam emails, for instance, or throught drive-by downloads. However, MacRansom`s author discourages distributions methods which involve uploading customized versions of the threat.
“It is not every day that we see new ransomware specifically targeting Mac OS platform. Even if it is far inferior from most current ransomware targeting Windows, it doesn’t fail to encrypt victim’s files or prevent access to important files, thereby causing real damage.” – concluded Fortinet – “Last but not the least, this MacRansom variant is potentially being brewed by copycats as we saw quite a lot of similar code and ideas taken from previous OSX ransomware. Even though it utilizes anti-analysis tricks, which differs from previous OSX ransomware, these are well-known techniques widely deployed by many malware authors. MacRansom is yet another example of the prevalence of the ransomware threat, regardless of the OS platform being run.”
