Former NSA security expert builds ransomware blocker for Mac

The utility scans for untrusted processes that are encrypting personal files, and stops them dead.

​RansomWhere? ransomware blocker for Mac

RansomWhere? ransomware blocker for Mac

[UPDATE: There are reports circulating that this utility has been circumvented.]

Ransomware - malware that encrypts your data and then demands a fee to unlock the data - is on the increase. A former NSA security expert has built a free, generic ransomware blocker for Mac.

The utility - called RansomWhere? - has been developed by Patrick Wardle, a former NSA security expert who now leads research at crowdsourced security intelligence firm Synack.

The utility works by detecting the behavior associated with ransomware, which means that it should offer protection against both know and unknown threats.

"This tool attempts to generically prevent this [ransomware attacks], by detecting untrusted processes that are encrypting your personal files," writes Wardle. "Once such a process is detected, RansomWhere? will stop the process in its tracks and present an alert to the user. If this suspected ransomware, is indeed malicious, the user can terminate the process. On the other hand, if its [sic] simply a false positive, the user can allow the process to continue executing."

False positives are kept to a minimum because RansomWhere? explicitly trusts binaries signed by Apple (but not by Apple developers). It also trusts applications that are already present on the system when it is installed. This is a double-edged feature - on the one hand it helps reduce false positives, but on the other hand if ransomware is already present on the system before RansomWhere? is installed, it may not be detected.

More details on how RansomWhere? works can be found on Wardle's blog.

ZDNet has tested this utility and can confirm that it does detect and prevent the KeRanger ransomware from encrypting files.

See also:

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All