More evidence Mac ransomware exists

Thanks to Anna Szalay (SophosLabs), Xinran Wu (SophosLabs) and Paul Ducklin (Naked Security)
for contributing to this article.

We’ve been saying it for some time: Mac malware is rare compared to the stuff that targets Windows. But Apple computers are far from immune.

This year’s SophosLabs malware forecast included Mac malware geared towards harvesting data, providing covert remote access to thieves and holding files for ransom.

Other examples of Mac ransomware include OSX/Filecode-K and OSX/Filecode-L.

Now comes word of a new piece of Mac ransomware, which SophosLabs has identified as OSX/Ransom-A. Widely reported as an example of ransomware-as-a-service (RaaS) for Macs, it has become popularly known as MacRansom.

How it works

This ransomware is not in the wild. Those who want a sample must contact its creators through a secure ProtonMail email address. SophosLabs did obtain a sample and made the following observations:

When you first run the OSX/Ransom-A malware app, you won’t see any tell-tale popups asking for a password. The malware installs itself quietly to work under your own account, rather than as a system-wide program.

OSX/Ransom-A simply copies itself into a subdirectory called ~/Library/.FS_Storage, effectively allowing it to hide in plain sight. (The directory name ~/ is Unix shorthand for “your own home folder”, e.g. /Users/yourname/.)

The Library directory is used officially by macOS to store all sorts of configuration files in dozens of different subdirectories, making it an excellent place for malware to lie around looking innocent.

On macOS, which is Unix-based, files and directories that start with a dot don’t show up by default in directory listings or in the Mac Finder, so you might never notice the presence of the rogue .FS_Storage hidey-hole used by the malware.

Even if you do notice the malware directory, the name .FS_Storage gives it an official look – it was chosen because it looks similar to .DS_Store, an official macOS filename that you may well have noticed before.

Once activated, OSX/Ransom-A follows the now-familiar pattern of encrypting your files and then offering to sell you back the decryption key you need to recover them:

Note that this malware goes after files by starting in the special directory /Volumes, which is where all your currently-attached hard disks show up, including Time Machine backup volumes, USB keys and other removable drives.

In other words, if you regularly leave your backup disks plugged in so that they are online all the time, you expose them to malware such as ransomware – which is why we routinely recommend keeping at least one recent backup copy not only offline, but also off-site, just in case.

Now what?

MacRansom is more evidence that hackers are working on ways to target Mac users with a variety of malware going forward.

Approach this as an awareness exercise.

As part of that, we offer the following resources: