With hundred of thousands of ransomware samples emerging every day, it is quite difficult for traditional signature-based antivirus products to keep their signature database up-to-date.
So, if signature-based techniques are not enough to detect ransomware infection, then what else can we do?
Here’s the latest ransomware detection tool for Mac OS X users:
RansomWhere? – a smart application that can identify ransomware-like behavior by detecting untrusted processes rapidly encrypting files, stop that suspicious process, and then alert the user.
How RansomWhere tool works
Patrick Wardle, a former NSA staffer who now leads research at bug hunting outfit Synack, has developed the RansomWhere tool, which aims at detecting and blocking generic ransomware on Mac OS X by regularly monitoring the user’s local filesystem for the creation of encrypted files by any process.
“The ransomware will likely encrypt a few files (ideally only two or three), before being detected and blocked,” Wardle wrote in a blog post.
This ransomware detection tool, by default, scans Mac apps and binaries that are signed with an Apple Developer ID and not by official Apple certificates.
Wardle successfully tested RansomWhere against KeRanger as well as Gopher ransomware proof-of-concept, which was developed by a pro-Apple Mac hacker, Pedro Vilaca, last year.
Though Wardle admitted that his tool does not guarantee 100 percent result and that it could be circumvented by malicious hackers who can discover a way to bypass RansomWhere and avoid detection, it is always better to be somewhat safer than completely vulnerable.
Some known Limitations of RansomWhere tool?:
- RansomWhere would not be able to help if any Ransomware malware abuses Apple-signed file or app.
- RansomWhere detects ransomware infections after they have already encrypted some of your important files.
- Files outside of your home directory are not protected by RansomWhere. So sophisticated ransomware could shift all your files outside home directory and lock them up.
Since hackers are always a step ahead of researchers, the RansomWhere tool has already been bypassed. Vilaca had tweaked his Gopher ransomware to bypass RansomWhere in a matter of minutes.
As mentioned in the limitations, Vilaca added just ten lines of code in its ransomware proof-of-concept to take the victim’s files outside of the home directory and lock them up. You can watch the video above showing his hack.