MacRansom

MacRansom is a Ransomware-as-a-Service (RaaS) portal hosted on the Dark Web and is possibly the first RaaS created to specifically target the Mac OS. Once the executable is purchased from the website and executed on a Mac OS system, MacRansom performs a preliminary check to see if it's running on a non-Mac platform or if it detects the presence of a debugger. If the system passes, Macransom creates a startup entry in Library/LaunchAgents/com.apple.finder.plist, to maintain persistence. It then copies the original executable to Library/.FS_Store and changes the time stamp to hinder forensic efforts. MacRansom comes equipped with a "trigger time" that allows it to delay the encryption process until a time and date criteria has been met. It uses symmetric encryption to encrypt files and contains a hard-coded key, which eliminates the need to communicate with a C2 server. After the targeted files are encrypted, MacRansom encrypts the startup entry as well as the initial executable file and deletes them to prevent analysis. The ransom payment demand is 0.25 Bitcoin.

Ransom note file names:
_README_

Email addresses associated with MacRansom:
getwindows@protonmail.com

  • Fortinet provides more information about MacRansom here.
  • The NJCCIC is not currently aware of any free decryption tools available for MacRansom.

Image Source: Fortinet