Generic Ransomware Detection on macOS

This research, published by Objective-See in April 2016, explores techniques for generic ransomware detection on macOS. The core concept revolves around monitoring file system events to identify processes rapidly creating encrypted files. The research highlights the increasing prevalence of ransomware, even on macOS, citing examples like KeRanger, which infected thousands of Mac users via a compromised version of Transmission. The author proposes a detection mechanism that leverages file I/O monitoring, encryption detection, and trust assessment of processes to identify and potentially block ransomware activity. The aim is to provide a proactive defense against new and unknown ransomware variants that evade traditional signature-based antivirus solutions. This research has version 1.0, meaning, likely room for improvement.

Attack Chain

1. The user downloads and executes a malicious application, or a legitimate application compromised with ransomware (e.g., KeRanger in Transmission).
2. The ransomware component initiates, often after a period of dormancy.
3. The ransomware process begins enumerating files within the user’s home directory (/Users) and potentially other locations like /Volumes.
4. For each targeted file, the ransomware process opens the file for reading and writing (O_RDWR).
5. The process reads the file content into memory.
6. The ransomware uses a cryptographic algorithm (e.g., libsodium) to encrypt the file content.
7. The encrypted content is written back to the file, overwriting the original data. The encrypted files may have a new extension, such as “.encrypted”.
8. A ransom note (e.g., README_FOR_DECRYPT.txt) is created in directories containing encrypted files, providing instructions for payment and decryption.

Impact

A successful ransomware attack can result in the complete loss of access to user data. Organizations and individuals affected by ransomware face potential financial losses due to ransom payments, business disruption, and recovery costs. The research mentions that CryptoWall 3.0 ransomware operators made $325 million, highlighting the financial incentives driving ransomware development and deployment. The KeRanger ransomware infected thousands of Mac users.

Recommendation

• Deploy the Sigma rule macOS Ransomware File Creation to detect suspicious file modifications by untrusted processes within user directories based on file I/O events.
• Monitor process creation events and correlate them with file modification events, specifically targeting processes not signed by Apple or baselined using the Untrusted Process Creating Encrypted Files Sigma rule.
• Implement file integrity monitoring (FIM) on critical user directories to detect unauthorized file modifications, complementing the generic ransomware detection approach.