Apple computers haven’t been impacted by ransomware, a pervasive and insidious class of malware that encrypts files on a computer in exchange for a ransom.
That’s not because Apple’s operating system is any more secure than Windows; it’s more that malware writers haven’t gotten around to writing ransomware for OS X since infecting Windows machines has been so profitable.
However, a Brazilian security researcher, Rafael Salema Marques, decided to show how easy it would be for malware writers to target OS X in a polished experiment that took him a couple of days.
It’s not the first time security researchers have tried their hand at writing ransomware for Macs. In September, OS X security expert Pedro Vilaca posted proof-of-concept code on GitHub for his Mac ransomware.
Marques hasn’t released the full code for his project, called Mabouia, but he has shared it with Apple and Symantec, which confirmed in a blog post that it works as advertised.
Marques also created a tongue-in-cheek mock website landing page for those who are supposedly infected.
The website purportedly offers tiered service plans: the “Not As Important” plan, which costs US$50, is good for recovering 20 files. Full decryption of all files costs $100.
It’s quite funny, but ransomware is no joke, and it has affected companies and consumers in devastating ways.
The FBI said in June that it had received 992 complaints through its Internet Crime Complaint Center about the infamous Cryptowall ransomware over a one-year period. Victims reported losses of more than $18 million.
Fees to get the decryption key can range from a few hundred to thousands of dollars, and the cybercriminals behind the scams have been known to not release the key even if they’re paid.
Marques published a video showing how the malware works, but he didn’t specify how a user would actually get infected, which is usually a much harder task than developing the malware.
Patrick Wardle, an OS X security expert with Synack, said it is likely that if users encounter Mac ransomware, they would have to be tricked into running it, a kind of technique known as social engineering.
Apple uses a security technology called Gatekeeper that will block apps from running that aren’t in its Mac App Store or are from identified developers. It basically helps save people from themselves if they are fooled, Wardle said.
But Wardle has found ways around Gatekeeper in the past through software flaws that are now patched by Apple. His expertise though is far beyond that of a ransomware writer, but there’s an easier infection route.
Hackers could try to buy a developer’s certificate from Apple, which costs $99, to digitally sign the ransomware so Gatekeeper wouldn’t stop it. But Wardle said Apple usually quickly revokes certificates that end up in the wrong hands.
Still, the experiments by Marques and Vilaca show how easy it would be for ransomware writers to diversify if they wanted to.
“I’m sure we will see more Mac ransomware,” Wardle said.