{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/transmission/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Transmission","OSX/FileCoder"],"_cs_severities":["medium"],"_cs_tags":["ransomware","malware","macos"],"_cs_type":"advisory","_cs_vendors":["Apple","Kaspersky","Palo Alto Networks"],"content_html":"\u003cp\u003eThis research, published by Objective-See in April 2016, explores techniques for generic ransomware detection on macOS. The core concept revolves around monitoring file system events to identify processes rapidly creating encrypted files. The research highlights the increasing prevalence of ransomware, even on macOS, citing examples like KeRanger, which infected thousands of Mac users via a compromised version of Transmission. The author proposes a detection mechanism that leverages file I/O monitoring, encryption detection, and trust assessment of processes to identify and potentially block ransomware activity. The aim is to provide a proactive defense against new and unknown ransomware variants that evade traditional signature-based antivirus solutions. This research has version 1.0, meaning, likely room for improvement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user downloads and executes a malicious application, or a legitimate application compromised with ransomware (e.g., KeRanger in Transmission).\u003c/li\u003e\n\u003cli\u003eThe ransomware component initiates, often after a period of dormancy.\u003c/li\u003e\n\u003cli\u003eThe ransomware process begins enumerating files within the user\u0026rsquo;s home directory (/Users) and potentially other locations like /Volumes.\u003c/li\u003e\n\u003cli\u003eFor each targeted file, the ransomware process opens the file for reading and writing (O_RDWR).\u003c/li\u003e\n\u003cli\u003eThe process reads the file content into memory.\u003c/li\u003e\n\u003cli\u003eThe ransomware uses a cryptographic algorithm (e.g., libsodium) to encrypt the file content.\u003c/li\u003e\n\u003cli\u003eThe encrypted content is written back to the file, overwriting the original data. The encrypted files may have a new extension, such as \u0026ldquo;.encrypted\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eA ransom note (e.g., README_FOR_DECRYPT.txt) is created in directories containing encrypted files, providing instructions for payment and decryption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful ransomware attack can result in the complete loss of access to user data.  Organizations and individuals affected by ransomware face potential financial losses due to ransom payments, business disruption, and recovery costs. The research mentions that CryptoWall 3.0 ransomware operators made $325 million, highlighting the financial incentives driving ransomware development and deployment. The KeRanger ransomware infected thousands of Mac users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003emacOS Ransomware File Creation\u003c/code\u003e to detect suspicious file modifications by untrusted processes within user directories based on file I/O events.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events and correlate them with file modification events, specifically targeting processes not signed by Apple or baselined using the \u003ccode\u003eUntrusted Process Creating Encrypted Files\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on critical user directories to detect unauthorized file modifications, complementing the generic ransomware detection approach.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-ransomware-detection/","summary":"This brief outlines a method for generically detecting ransomware on macOS by monitoring file I/O events and identifying the rapid creation of encrypted files by untrusted processes, as proposed by Objective-See.","title":"Generic Ransomware Detection on macOS","url":"https://feed.craftedsignal.io/briefs/2024-01-ransomware-detection/"}],"language":"en","title":"CraftedSignal Threat Feed — Transmission","version":"https://jsonfeed.org/version/1.1"}