QR Code contains TinyURL of this article.OS X: Reactive Ransomware Protection

combination padlock atop iPhone and MacBook

I think I maintain a reasonably secure computing environment. I have locked-down my firewall; my network has minimal points of entry; my MacBook runs the latest version of OS X, with every software update applied as it becomes available; my anti-virus software scans continuously and auto-updates its signatures; my backup strategy is comprehensive… I’m fastidious in keeping my applications up-to-date and careful in my consideration of whether or not to download something new.

In theory, I shouldn’t have much to worry about in terms of computer security and the protection of my data. Yet there is one cyber-threat that has preyed on my mind and kept me awake at night… ransomware. So what is ransomware? It’s a class of malware that surreptitiously encrypts your files, then demands payment for the release of a decryption key — without which, recovery of your data is, in most cases, impossible.

If one becomes the unfortunate victim of a ransomware attack there are four possible outcomes:

  1. Assuming you are able to identify and remove the malware and are able to restore a non-encrypted and uninfected backup, then the outcome is good;
  2. You pay the ransom. If we assume a successful key retrieval and subsequent decryption, then the outcome is good — but your bank account is somewhat lighter;
  3. You pay the ransom but do not receive a decryption key, or decryption is unsuccessful. This is the worse possible outcome. Not only have you suffered the indignity of enriching a criminal, but you’ve also lost your precious data, perhaps forever;
  4. You don’t pay the ransom. You forfeit your data and start over. If you’re anything like me, this would be nothing short of devastating.

For some, whether an organisation or an individual, payment is the only option. The potential loss of data is inconceivable, the consequences perhaps catastrophic. This is, of course, what the authors of these insidious applications rely on. Others might refuse to pay, recognising that — to do so — encourages the authors of ransomware to continue and perhaps expand their operations. This is a tough choice to have to make.

So, can we defend ourselves against ransomware?

As with all malware, it’s something of an arms race. The bad actors conceive a new attack vector, then security vendors rush to develop detection‍/‍prevention‍/‍recovery solutions. The bad guys are proactive, the good guys reactive… and that’s the nature of the beast.

Thus your security software may recognise and defend against an older, previously identified piece of ransomware. But a new, not seen in-the-wild, program will most likely go undetected — and you only need to be unlucky once.

With this in mind then, I was especially intrigued by the research recently undertaken and published by Patrick Wardle. You may know Wardle if you’ve been an attendee of DefCon or similar security conferences.

In a recent article, “Towards Generic Ransomware Detection,” Wardle describes a method by which he’s been able to successfully detect a possible ransomware operation in its early stages — when it first starts to encrypt files.

On reading his thesis, his clever (and, with hindsight, obvious) hypothesis struck me with its elegance and simplicity:

“if we can monitor file I/O events and detect the rapid creation of encrypted files by untrusted processes, then ransomware may be generically detected”

Wardle’s article goes on to describe the choices he made in how to continuously and unobtrusively monitor file-system I/O and the sophisticated mathematical constructs — such as chi-squared distribution and Monte Carlo pi approximations1 — he leveraged to distinguish an encrypted file from a compressed one (this is non-trivial since both have high levels of entropy, making them difficult to tell apart).

The article culminates with the release of RansomWhere?, an application that provides an early warning of possible ransomware activity. I just had to test it out.

When you first install it, RansomWhere? performs a baseline analysis of your OS X system — it builds a profile within which it assumes the already installed applications are inherently trustworthy. This is important to note: RansomWhere? is thus of no use in detecting ransomware that might already be present on your system.

Once these initial operations are complete, RansomWhere? runs silently, in the background, watching the file I/O activity of any applications outside of the baseline profile (i.e. new and therefore untrusted). If it detects the creation of an encrypted file by an untrusted process it immediately halts that process and prompts the user, with options to terminate the process or allow it to continue:

RansomWhere? dialogue notifying of an encryption operation by an untrusted process

Of course, at this point it is up to you to determine whether or not this is a malicious process.

Important Notes:

  1. If you click “allow” then RansomWhere? will whitelist the process concerned and will never alert you about the encryption actions of that process again.
  2. If you click “terminate” then RansomWhere? will kill the process concerned and will continue to alert you of its encryption actions in the future.
  3. RansomWhere? has no means to remove or quarantine a process. It serves only as an alerting system.

In order to test RansomWhere? I needed an application that was specifically designed to encrypt files and that was outside of my baseline profile. I chose Encrypto as it was the first one I found on the MAS.

Encrypto application, initial dialogue state

I dragged a PDF file onto the Encrypto drop-zone, entered a password2 and clicked the “Encrypt” button. Now it’s worth pointing out here that Encrypto does not encrypt in-place. Rather, it encrypts in memory or in some intermediate space on disk, then presents options to share and/or save the resulting file. So, in contrast to an actual piece of ransomware, Encrypto does not change the source file in any way.

As RansomWhere? watches file I/O, I chose to save the file. There was no response from RansomWhere? but I expected this because, as Wardle explains in his thesis:

“ransomware has the characteristic of rapidly encrypting many files. As such, RansomWhere? keeps track of both when, and how many encrypted files an untrusted process has/is creating. When a threshold is hit (that takes into account both the speed and number of encrypted files generated), RansomWhere? takes action”

I dragged another file into Encrypto’s window, entered a password and clicked “Encrypt.” At this point RansomWhere? sprang into action. Encrypto’s cute little encryption animation halted and the RansomWhere? dialogue appeared, prompting me to “Allow” or “Terminate” the Encrypto process.

Was I impressed? Hell yes. RansomWhere? had done its job perfectly.

As I wrote earlier, there’s an ongoing battle between computer users and cyber-criminals. They will continue to become more sophisticated in their methods and we must continue to deploy new tools to defend ourselves. Ransomware is a great weapon for them with the potential for large profit and seemingly little in the way of risk.

Because of this, I expect ransomware attacks to increase in scope, variance and cost. RansomWhere? has considerable promise, but only until the bad guys figure out a way to bypass it.

The best defence? Good old common sense. Be cautious of every download, every email attachment, every hyperlink given you by an untrusted source. Practice safe computing.

P.S. Patrick Wardle has created a whole range of Mac security tools that are available as free downloads from his website. I strongly recommend each and every one of them.

  1. Don’t worry about it. They mean nothing to me either. 😃 ↩︎

  2. Technically an encryption key, but let’s not split hairs. ↩︎