Mac OS X SMS ransomware - hype or real threat?

Mac OS X SMS ransomware - hype or real threat?

Summary: In need of a fresh example that cybercriminals are actively looking for ways to monetize infected Mac OS X hosts? Early-stage discussions at several web forums, including a PoC, offer an insight into the potential to monetize OS X infected hosts using SMS-based ransomware.

SHARE:

In need of a fresh example that cybercriminals are actively looking for ways to monetize infected Mac OS X hosts?

Early-stage discussions at several web forums, including a PoC (proof of concept, source code included) Mac OS X blocker as well as potential GUIs for the ransomware, offer an insight into the potential to monetize OS X infected hosts using SMS-based ransomware.

Is Mac OS X ransomware just a hype, or a real threat? Let's take a brief retrospective of known OS X monetization strategies used by cybercriminals, discuss the ransomware threat on the Windows OS, and go through some pretty self-explanatory ransomware layouts for the OS X based ransomware.

What have originally started as a complaint from a single user who claims to have been victimized by SMS-based ransomware on his Mac OS X, motivated others to not just come up with possible layouts for the OS X ransomware GUI, but also, release a proof of concept blocker.

In its current version, the PoC blocker doesn't extort money, instead it demonstrates its ability to intercept all attempts to close down and exit the application, with the author and other participants commenting that "although it was built as a PoC, anyone can add additional features including auto-starting features, perhaps even spreading functionality".

Sadly, they are right. And while the commonly shared attitude between the people participating in the discussion is in the lines of "harmless joke having nothing to do with malware", ransomware is virtual extortion, or the monetization of disrupting an end user's productivity. Another participant in the discussion is pretty straightforward in his ambitions by saying "Guys, we are ready. Looking forward to it".

Cybercriminals are no strangers to the Mac OS X ecosystem. From Mac OS X affiliate bounties offering 43 cents per infected Mac, the monetization of Mac OS X traffic, the use of pirated application releases, and good old fashioned social engineering attempts in the form of fake codecs or missing plugins, Mac OS X malware is no longer a myth. Ransomware, is perhaps the only segment of malicious software that hasn't been released on the Mac OS X so far.

How widespread is the ransomware threat on the Windows OS? Pretty widespread. According to Fortinet's February Threatscape report:

  • Most notable was the number one chart-topping malware variant, HTML/Goldun.AXT, which works by disseminating a binary malware file that downloads the ransomware "Security Tool" and, once executed, locks up applications until a cleansing tool is purchased to restore the computer. While this example accounts for the majority of activity detected this period, the Security Tool ransomware was also distributed through SEO attacks as well.

As in every other malware segment, an epidemic of a particular threat is often triggered by the overall availability of DIY (do-it-yourself) tools, or managed services allowing novice and potential cybercriminals easy access to tools and DIY malware kits. Throughout the entire 2009, the cybercrime ecosystem was actively developing the SMS-based ransomware market segment, but persistently releasing new layouts, and adding new features within ransomware releases available for sale.

The laws of demand and supply fully apply within the cybercrime ecosystem. Therefore, it's only a matter of time before someone starts developing this malware segment, either driven by personal financial gains, or by someone else's demand for such a malicious release.

What do you think? Is Mac OS X ransomware a real threat, or a hype, with cybercriminals basically experimenting in the short term?

TalkBack.

Topics: Security, Apple, Software, Operating Systems, Networking, Mobility, Malware, Hardware, Collaboration, Telcos

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

71 comments
Log in or register to join the discussion
  • killall -9?

    So this program intercepts all attempts to shut it down? How does it
    respond to UNIX signals? Theoretically, it should be possible to kill any
    process using killall -9 "process name", since it sends the SIGTERM
    signal to that process. Does this somehow elude the SIGTERM signal? If
    so, then this is a potential issue for all UNICES.
    networkassault
    • You can probably kill it

      But it would do you no good (if its well written at all) your files would be encrypted by then.
      ImaGremlin
      • What's the point of this then?

        Why not just use TrueCrypt or something?
        AzuMao
        • encrypted by the ransomware

          not by the user.
          rtk
          • What's your point?

            Instead of the bad guy making his own program to encrypt the computer, why wouldn't the bad guy use something that already exists such as TrueCrypt?
            AzuMao
          • Why the red herring?

            I can't answer for the bad guy and I doubt anyone here can, unless they are the bad guy.
            rtk
          • This whole story is a red herring.

            There is already a tool out there that could be used for this, and is known to work just fine and dandy.

            Yet someone felt the need to write a whole article about how it might theoretically be possible for him to make his own.
            AzuMao
          • Did you read the article?

            it doesn't appear so.

            Do you understand what ransomware is?
            rtk
          • Yes. Did you?

            Mr. Evil Hacker encrypts your drive and withholds the password until you pay him.

            This has been possible using TrueCrypt since, like, forever.

            So I want to know what the point of this story is.
            AzuMao
          • I don't think you did.

            You seem to be confusing ransomware and encryption software.

            Either that, or you believe development of encryption technology in general stopped the day TrueCrypt was released.

            Regardless, now that your red herring is starting to stink, I'm done with it.
            rtk
          • What do you think it means, then, wise guy?

            Putting up a stupid window on the user's screen that doesn't do anything and can be deleted with a recovery disk?
            AzuMao
          • rtk your right

            Yes, after reading this short thread you right rtk, AzuMao has very little understanding of ransomware.
            In a hope to make it clearer ransomware can render a computer "hard to use" or even unusable by any means (usually by locking down user rights) , I don't know why they got stuck on encryption? you can sometimes get functionality back by paying money to the ransomware owners.
            Simple
            a.ross.nz
          • Because that's the only thing that would work for ransom, maybe?

            If they delete all your data, they can't offer to give it back if you pay them.
            If you just install some annoying screen blocker, you can remove it without their help.

            But if they encrypt your data, then unless you had a backup (not connected to the computer), they can say "hey gimme X dollars and I'll give you your data back".


            Or do you two have some secret idea that's too dangerous to post?
            AzuMao
          • To literal maybe

            In most cases you data isn't lost after a ransomware app has been installed, usually booting of a boot cd/usb drive and copying your data off then reinstall the os and all your apps then back will fix, but most people either cant or don't want to do that when paying $10 can fix it.
            A lot of these apps "act" like antivirus software and offer to "fix" your ailes for very little (that they have caused), from things like random restarts to just running really slow, people sometime pay because they just dont know any better.
            you don't need to encrypt a whole drive to extort money, and from a legal you might be in less trouble if the data is fine and the computer becomes hard to use. Compared to forcing people to pay for there data back!
            a.ross.nz
          • That would be like..

            ..calling someone's parents one morning and telling them you have their kid and want $$$$ in return, when really he's just sleeping in.
            AzuMao
          • ....And they locked his/hers bedroom door

            kind-of is, but more the kids out playing
            a.ross.nz
          • Locking the door would be analogous to encryption.

            [b] [/b]
            AzuMao
          • Ok

            Ok you win encryption is the only way to extort money from people
            a.ross.nz
          • Wrong.

            There are many other ways, like threatening to hurt them, or threatening to reveal secrets about them. And variations replacing "them" with their
            family/friends/colleagues/neighbors/pets/etc.


            Making a harmless change to their computer that they can trivially undo themselves just isn't one of those.
            AzuMao
          • How many

            How many times, on how many thread, by how many people do you
            need
            to be called a micro-encephalic troll before you gain a little reticence?

            That said, just as a side note, I think it is clear that, as you have in
            other threads, you have changed your original message midstream
            when caught in an error, and then employ revisionist history and
            sleight of hand to make it seem like you got it from the first.
            Sorry, but even though your current posts indicate that you do
            understand (finally) what is being discussed, your initial post just as
            readily shows that you initially did not.

            Why not use truecrypt? Well, being that the original POC in question
            did NOT even attempt to encrypt the user's data, but rather just
            warned them, and then just demonstrated its ability to prevent being
            closed down, what good would an encryption procedure do?

            "In its current version, the PoC blocker doesn?t extort money, instead
            it demonstrates its ability to intercept all attempts to close down and
            exit the application, with the author and other participants
            commenting that 'although it was built as a PoC, anyone can add
            additional features including auto-starting features, perhaps even
            spreading functionality'."
            SpiritusInMachina