One of the most dominating threats in the current cyberspace era is ransomware which is constantly affecting organizations of all sizes. In order to cast a wider net of potential targets, attackers are constantly changing their tactics and expanding their tradecraft to make sure that they are successful.
As a result of ransomware attacks, a wide range of industries, systems, and platforms are being affected. When it comes to protecting hybrid devices and working environments at work today, it is vital to understand how ransomware works across these systems and platforms.
In contrast to other platforms, Mac ransomware tends to rely substantially on user assistance such as downloading and running fake applications or trojanized programs to infect computers.
Unveiling the TTPs of Ransomware
During ransomware campaigns, the attackers typically gain access to a target device, execute the malware, encrypt the files belonging to the target, and inform the target of a ransom demand and request for payment.
The following steps are taken by malware creators in order to accomplish these objectives:-
- Abuses legitimate functionalities
- Devise various techniques to exploit vulnerabilities
- Evade defenses
- Force users to infect their devices
Microsoft analyzed the following four Mac ransomware families:-
- KeRanger
- FileCoder
- MacRansom
- EvilQuest
Technical Analysis
It is important for ransomware to target which files to encrypt in order to gain the greatest amount of success. Based on Microsoft’s observations, ransomware families enumerate files and directories in several different ways on Mac as follows:-
- Using the Find binary
- Using library functions opendir, readdir, and closedir
- Using the NSFileManager class through Objective-C
The primary goal of malware creators is to prevent or evade the analysis of files by either the human analyst or an automated analysis system.
Among the ransomware families discussed above, either hardware-based checks are employed to ensure that the ransomware is not detected, or special code is made to prevent analysis of the ransomware.
As far as hardware-based checks are concerned, they are the following:-
- Checking a device’s hardware model
- Checking the logical and physical processors of a device
- Checking the MAC OUI of the device
- Checking the device’s CPU count and memory size
Among the checks related to the code are the following:-
- Delayed execution
- PT_DENY_ATTACH (PTRACE)
- P_TRACED flag
- Time-based check
It is quite common for malware to use persistence to make sure it continues to run even after the system has been restarted.
The EvilQuest and MacRansom ransomware families, among the Mac ransomware families that have been analyzed, have both utilized persistence techniques.
As a result, these malware families use a variety of persistence techniques to maintain their presence in the system. And here below we have mentioned the persistence techniques:-
- Creating launch agents or launch daemons
- Using kernel queues
There are often similarities in the anti-analysis and persistence techniques of the ransomware families that we have analyzed. There is, however, a difference in the encryption logic between these ransomware families.
The encryption of files is often done using AES-RSA algorithms, while other techniques are used, such as system utilities, XOR routines, or custom algorithms.
The methods for encrypting data vary from adding a patch in place to deleting the original file and creating a new one in its place. As part of its implementation of in-memory execution, EvilQuest uses the following APIs:-
- NSCreateObjectFileImageFromMemory – used for creating an object file image from the data present in memory
- NSLinkModule – used to link the object file image
- NSLookupSymbolInModule – used for looking for a specific symbol
- NSAddressOfSymbol – used to get the address of the symbol.
Recommendation
It is possible for defenses to mitigate the impact of ransomware attacks by taking the following mitigation steps:-
- Do not install apps from sources other than the official app store of the software platform.
- Protect privileged resources by restricting access to them.
- Use a web browser that supports Microsoft Defender SmartScreen, such as Microsoft Edge.
- Keep your operating system and applications up-to-date by installing the latest versions of them.
- On your Mac, make sure you are using Microsoft Defender for Endpoints.
Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book
