It’s So Easy to Infect Macs With Ransomware, You Could Do It

The landing page of MacRansom.

While the recent WannaCry ransomware attack raced around the globe, Mac users felt safe. WannaCry only attacked Windows machines (and mainly ones that had been slow to update). It once again bolstered the idea that while PCs are under constant threat, Mac users largely are out of harm’s way.

However, this isn’t really the case. A ransomware program known as “KeRanger” was spread through popular BitTorrent app Transmission last year, infecting over 7,000 machines. In February of this year, a ransomware program called “Patcher” — built to look like pirated versions of popular software, like the Adobe Premiere Pro or Microsoft Word — quickly spread across BitTorrent.

Still, actually running an effective (i.e., moneymaking) ransomware campaign can be difficult. First, you need to either buy or code some malware that will lock up and eventually erase user’s hard drives until they pony up crypto-currency.

Second, you need to distribute that malware. That can mean everything from using botnets to blast out emails spoofed to look legit — getting users to download infected files, as was seen with the KeRanger and Patcher attacks — to physically uploading malware via a USB stick to a user’s computer.

Finally, you need a way to launder the money you receive from your victims. Payment made via bitcoin — by far the most popular crypto-currency, and one almost always used in ransomware attacks — can be actively tracked as they move from “wallet” to “wallet,” thanks to the unique “hash” (i.e., a long string of numbers and letters) attached to every bitcoin. There are “tumblers” you can use to obscure bitcoin tracking, in which bitcoins get thrown in with a bunch of other users, broken up into smaller pieces, and then redistributed — but even this can be tracked. (The WannaCry creators, who likely only earned about $80,000 USD from their attack, are still under close scrutiny as they attempt to shift money around.)

All in all, this creates a high barrier to entry to someone wanting to get in on a ransomware scheme. This is where Ransomware-As-a-Service (RaaS) steps in. RaaS takes its cues from one of the biggest revolutions in computing since the turn of the century, Software-As-a-Service (SaaS), in which companies host and run applications through the internet, preventing clients from needing to install and maintain software on their own. If you’ve ever used Google Docs, you’ve used SaaS.

RaaS has been available for those who want to infect and extort PC users since 2015, but now the market appears to be spreading to the world of Mac users as well. Cybersecurity researchers Fortinet was the first to discover what is likely the first RaaS aimed at extorting Mac users, called simply “MacRansom.”

MacRansom (which can only be found on the “dark web,” meaning you need to use Tor to even locate the portal) works like this. You email the MacRansom creators with the details —how much you want to set the ransom at, when you want to trigger the ransomware attack, the bitcoin address where you want money sent, and how you want to spread the virus (i.e., you can either manually install it yourself via USB sticks or other methods, or pay extra to have the creators of MacRansom use Mail and AirDrop to do the distribution for you). The MacRansom creators then send you some zip files.

By default, it seems victims are told they must send .25 bitcoin (about $650 USD at current prices) to a getwindows@protonmail.com. However, the MacRansom creators urge you to set the demand higher. In the FAQ section of the portal, the site creators urge users of their service to “ask for as much as possible. In general, Mac users are willing to pay at least $1,000 for their computer files. As much as $26,500 was once collected from a small business owner.”

MacRansom has good reason to urge users to jack up the price. The creators of the malware say they will pass along 70 percent of the money earned from successful extortion attempts to users, and keep 30 percent for themselves. The victims themselves, besides being out of whatever money they sent along, aren’t so lucky — according to Fortinet’s analysis of the malware, it’s highly unlikely that the MacRansom creators can’t actually decrypt the files that have been locked up, even after payment is made.

Per Fortinet, there are other flaws in the program. A lot of the code appears to be lifted wholesale from code repository Stack Overflow. It doesn’t have a spoofed security certificate, meaning it’ll likely cause victims’ Macs to throw up a red flag before being able to run. It also doesn’t use an automated (and therefore more secure) payment system — victims must email the creators to fulfill payment. Still, the relative ease of using MacRansom, even by those with little coding or technical skill, is worrying. More worrying is that this will likely inspire copycats to enter the market with more sophisticated versions of RaaS attacks.

The Mac OS represents a tiny portion of the overall market — around 7 percent according to most estimates. It’s this tiny market share that largely protects Mac users; there simply aren’t enough of them to make it worth the time and effort to infect them. However, Mac users tend to have a higher average household income than the average PC users, and may be willing to pay more for their data, rather than just walk away. Infecting and extorting Mac users via ransomware — or offering up a way for others to do so without needing to learn complicated code — may be a niche market, but it could be a potentially lucrative one for cybercriminals.

It’s So Easy to Infect Macs With Ransomware, You Could Do It