Ransomware, the malware that locks machines for a price, has been long plaguing Mac users, with no plausible solution - until now.
Known to mostly target government agencies, the Ransomware creators had turned their attention to Mac in March with the KeRanger attack. The virus was planted in Apple's file-sharing app called Transmission, so that it locks the machine when an unsuspecting user downloads it.
Patrick Wardle, the director of research at the crowdfunded Synack and also a former NSA security expert, realized that this could be soon happening to him, and the Apple guys were still clueless about how to put an end to this recurring issue.
By the time they had replaced the infected app with a fresh version, quite a bit of damage had been done. So he took it upon himself to build a tool to stop these malicious attacks, and soon released his "solution," which he named Ransomwhere?.
Though not entirely an original concept, Ransomwhere? detects and blocks file encryption by an unknown or suspicious process. It has been built to constantly monitor the home directories and send out an alert the moment it comes across any tell-tale sign from Ransomware, which is mainly rapid creation of encryption files within the directories.
When the tool detects any unnatural movement within files, it zeroes in on the process and suspends it temporarily. To minimize interference with the legitimate encryptions (or false positives), Ransomwhere? lists all the Apple-approved applications, along with the ones that were already existing within the system at the time of its installation.
"This tool attempts to generically prevent [ransomware attacks], by detecting untrusted processes that are encrypting your personal files," Wardle said. "Once such a process is detected, RansomWhere? will stop the process in its tracks and present an alert to the user. If this suspected ransomware, is indeed malicious, the user can terminate the process. On the other hand, if it's simply a false positive, the user can allow the process to continue executing."
This basically means that, for the tool to work effectively, the system must not be infected by Ransomware before. Moreover, the tool will fail to detect the virus if it enters the machine through Apple-approved applications and uses them to encrypt the files.
Nonetheless, Wardle might just be on to something with Ransomwhere? to stop the malware in its initial tracks. The tool has been tested, yielding positive results and, with time, it can be sharpened to act as "the" weapon to get rid of the Ransomware gang for good.