Attack Chain

1. The user downloads and executes a malicious application, or a legitimate application compromised with ransomware (e.g., KeRanger in Transmission).
2. The ransomware component initiates, often after a period of dormancy.
3. The ransomware process begins enumerating files within the user’s home directory (/Users) and potentially other locations like /Volumes.
4. For each targeted file, the ransomware process opens the file for reading and writing (O_RDWR).
5. The process reads the file content into memory.
6. The ransomware uses a cryptographic algorithm (e.g., libsodium) to encrypt the file content.
7. The encrypted content is written back to the file, overwriting the original data. The encrypted files may have a new extension, such as “.encrypted”.
8. A ransom note (e.g., README_FOR_DECRYPT.txt) is created in directories containing encrypted files, providing instructions for payment and decryption.

Impact

A successful ransomware attack can result in the complete loss of access to user data. Organizations and individuals affected by ransomware face potential financial losses due to ransom payments, business disruption, and recovery costs. The research mentions that CryptoWall 3.0 ransomware operators made $325 million, highlighting the financial incentives driving ransomware development and deployment. The KeRanger ransomware infected thousands of Mac users.

Recommendation

• Deploy the Sigma rule macOS Ransomware File Creation to detect suspicious file modifications by untrusted processes within user directories based on file I/O events.
• Monitor process creation events and correlate them with file modification events, specifically targeting processes not signed by Apple or baselined using the Untrusted Process Creating Encrypted Files Sigma rule.
• Implement file integrity monitoring (FIM) on critical user directories to detect unauthorized file modifications, complementing the generic ransomware detection approach.