In darknet experts of Fortinet discovered offer ransomware-as-a-service (RaaS) for the first time aimed at Mac users. We are talking about malware that encrypts files on disk and require money for unlocking.
Ransomware services for a share in the revenues provide an opportunity to deal with ransomware criminals do not possess sufficient skills to create the required code on their own. Such service since last year are available for Windows, but Mac still did not have specialized solutions “ransomware for dummies”.
The firstborn in this category is called MacRansom and advertised on the web portal of TOR as “the most sophisticated ransomware for Mac of all time”. The second one is called MacSpy (OS X RAT as a Service) and is designed to spy on Mac users.
Security researchers were able to study samples of two new malware families for the Mac, which for three weeks rent on underground resources.
MacSpy offers spyware for Mac on the business model of “malware as a service” (Malware-as-a-Service, MaaS). The second resource, MacRansom, offers rent-seeking programs have already become the classical scheme of “extortionate software as a service” (Ransomware-as-a-Service, RaaS). Both malware created by the same developer.
Resources are “closed”, that is, to discuss obtaining a demo version of your software potential clients must communicate directly with their author. The experts at Bleeping Computer is not possible, but experts from Fortinet and AlienVault still ended up with samples MacRansom and MacSpy respectively.
The researchers analyzed the malware and came to the same conclusion – the author is inexperienced developer. Despite the creation of the MaaS portal, he paid little attention to the quality of their product, for example, MacSpy code was copied from Stack Overflow. And MacSpy and MacRansom no digital signature, so if you try to run on macOS with the default settings will cause the appearance of security notifications.
MacRansom the number of encrypted files may not exceed 128. According to experts, this means that the code used by this service more primitive than the other known specimens. However, MacRansom successfully encrypts the file and makes it difficult for investigation. In addition, the work of ransomware stops when detecting the debugger, run this code in an environment other than macOS, and when it detects the second CPU.
Victims MacRansom receive a ransom demand in the amount of 0.25 Bitcoins (about $700) and set a weekly deadline, after which the files will be deleted. It is noteworthy that MacRansom not connect to C&C server, and therefore, the ability to recover encrypted files is missing.
As for MacSpy, its free version allows you to record keystrokes, save screenshots and copy files that sync with iCloud.
At present, some malicious campaigns using the aforementioned programs is still was not fixed. This is probably associated with a complex process that must pass potential customers before you get ON.