Developer offers generic ransomware detection for OS X

The increasing use by attackers of ransomware has security researchers thinking of new defences to mount. For organizations who have Mac users, Patrick Wardle, director of researcher at Synack,  a California security solutions provider, has come up with what he calls a generic ransomware threat protector for the OS X platform.

Unlike solutions sold by commercial vendors that detect particular strains of ransomware, Wardle’s solution — called RansomWhere? — identifies a factor common in  all ransomware; the creation of encrypted files.

RansomWhere? attempts to  prevent this by detecting untrusted processes that are encrypting personal files. When that process is detected the software stop it and sends an alert to the user, who can decide whether it is malicious or a false positive.

Threatpost notes that there are a few generic defense mechanisms for Windows, such as Easy Sync Solutions’ CryptoMonitor, now owned by Malwarebytes.

“It is important to understand how RansomWhere? determines what (it thinks) is ransomware -as this can also help understand its alerts and how to effectively respond to them,” Wardle says on his site. The solution must decide that the answer is ‘yes’ to two questions:

–Is the the process trusted? RansomWhere? trusts processes that are signed by Apple proper, or, where already present when the tool was installed, or have be explicitly approved by the user (i.e. you clicked ‘allow’ in a previous alert);

–Is the process quickly creating encrypted files? The software uses mathematical calculations to determine if a created/modified file is encrypted. If an untrusted process creates several of these quickly, RansomWhere? will generate an alert.

RansomWhere? will trust most binaries that were already present when it was installed, or have be explicitly approved by the user. However, it can be reset to clear its memory of these trusted applications.

Wardle admits the solution has some limitations: Malware could be designed to evade RansomWhere?, for example. If ransomware abuses an signed Apple binary (or process, perhaps via injection), RansomWhere? won’t detect it. The tool inherently trusts applications that are already present on the system when it is installed, so if  ransomware is already present on the system it may not be detected. Finally, it is reactive, so malware will likely encrypt a few files (ideally only two or three), before being detected and blocked, the site says.

All this may cause CISOs to pause before allowing its use by staff. Still, it may be useful in some environments so may be useful for consideration after a risk analysis.

It will be interesting to see if commercial security vendors incorporate this approach as part of their solutions.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now