Ransomware is the most vicious cyber threat currently affecting thousands of users on a global level. Mostly affected are users of Windows, being targeted by both sophisticated and simplistic ransomware pieces. However, OS X and Linux users are not spared either – ransomware attacking those operating systems is also being deployed.
Parallel to cybercriminals inventing new infection methods and writing improved malicious code, security researchers are also establishing new ways of protection. RansomWhere? is such an example – an application especially coded for OS X, and created to identify ransomware-related behavior by detecting the creation of encrypted files. RansomWhere? should also stop any suspicious or unknown processes, and will also warn the user. Note that the tool is compatibible with OS X 10.8+, and its current version is 1.2.5.
RansomWhere? Official Description
This is how the creator of the app – Patrick Wardle a.k.a. Objective See – describes his work:
- RansomWhere? is a utility with a simple goal; generically thwart OS X ransomware. It does so by identifying a commonality of essentially all ransomware; the creation of encrypted files. Generally speaking, ransomware encrypts personal files on your computer, then demands payment (the ransom) in order for you to decrypt your files. If you fail to pay up, and don’t have backups of your files, they may be lost forever – that sucks!
- This tool attempts to generically prevent this, by detecting untrusted processes that are encrypting your personal files. Once such a process is detected, RansomWhere? will stop the process in its tracks and present an alert to the user. If this suspected ransomware, is indeed malicious, the user can terminate the process. On the other hand, if its simply a false positive, the user can allow the process to continue executing.
It is worth mentioning that Objective See is the personal project of Mr. Wardle who is the co-founder of Digita Security. All tools published on Objective See were actually created by him to help secure his Mac computer. That being said, all users who plan to use RansomWhere? should keep in mind that the tool is a new tool based on new research. Even though efforts have been made to ensure the tool is bug free, bugs may appear. That’s why the researcher encourages users to connect with him whenever they find an issue with RansomWhere?.
So, How Does RansomWhere? Work?
As already said, the tool should detect the creation of encrypted files. How is this done? By closely observing the user’s local file-system for the encryption of multiple files and also by temporarily suspending any untrusted or unknown process that creates large amounts of encrypted files. The program also asks the user to verify and approve its actions.
Once the program is installed and launched (instructions are available on Objective See’s page), it will attempt to block any suspicious processes, seen to quickly create encrypted files. In particular, the tool will suspend the suspected bad process and alert the user.
However, because RansomWhere? functions on heuristics basics, false positives are also possible. The tool may detect a legitimate app such as an encryption tool that protects sensitive information.
Users who plan to run the app on the OS X machines should note that RansomWhere?’s alerts display two important pieces of information:
- the process suspended by the tool;
- the list of encrypted files created by the process.
If the user actually trusts the process, he can simply click on the ‘allow’ button. If he doesn’t recognize the process, he is prompted to click on ‘terminate’.
Image Source: Objective See
Another similar tool created for Linux is CryptoStalker, recently created by Sean Williams.
In case you’re a Windows user and wish to improve your security against ransomware such as CTB-Locker, Locky and TeslaCrypt, consider installing the free Bitdefender Anti-Ransomware. Learn more about Bitdefender Anti-Ransomware Software Review.