Ransomware is a major threat in cyberspace today. It is constantly targeting organizations of all sizes. Attackers are always changing tactics to increase their potential target list and increasing their trading skills to ensure they succeed.
have affected a variety of systems and industries. It is crucial to be able to distinguish between ransomware across different platforms and systems in order to protect hybrid devices as well as working environments.
, unlike other platforms relies heavily on users’ assistance. For example, you can download and run trojanized software to infect your computer.
Examining Ransomware’s TTPs
Ransomware attacks involve the attack on a target computer. The attackers then execute ransomware, encrypt files and notify the victim of the ransom request and payment.
To achieve these goals, malware developers take the following steps:
- Abuses legitimate functionalities
- You can use a variety of techniques to attack vulnerabilities
- Evade defenses
- Forcing users to infect devices
Microsoft has analysed the following four Mac ransomware family:
Ransomware must know which files they should encrypt to have the best chance of succeeding. Using ransomware groups enumerate directories and files in a variety of ways on Mac, as shown below:
- Use the Find binary
- Library functions closedir, readdir and opendir can be used
- Use Objective-C’s NSFileManager class
Malware creators have one primary objective: to prevent the automatic analysis of files either by a human analyst or an automated system.
There are two options for detecting ransomware: hardware-based or special codes.
Hardware-based checks can be described as:
- How to check the hardware model of a device
- Verifying the physical and logical processors on a device
- Verify the MAC OUI (Microwad) of your device
- Verify the CPU and RAM count of your device
The following are some of the codes that need to be checked:
- Execution delayed
- PT_DENY_ATTACH (PTRACE)
- Flag P_TRACED
- Checks that are time-based
Malware often uses persistence to ensure it runs even after the system is restarted.
Both the MacRansom and EvilQuest ransomware families have used persistence techniques, according to Mac ransomware family analysis.
These malware families employ a range of persistence methods to keep their presence in systems. We have listed the following persistence methods:
- Launch agents and launch daemons:
- Using kernel queues
We have found many similarities between the persistence and anti-analysis techniques used by ransomware families we examined. However, there is a significant difference in encryption logic among these ransomware family.
In many cases, encryption is done with . However, other methods are available such as system utilities or custom algorithms.
There are many ways to encode data. You can add a patch or delete the file, and create a new one. EvilQuest implements in-memory execution using the following APIs.
- NSCreateObjectFileImageFromMemory – used for creating an object file image from the data present in memory
- NSLinkModule – used to link object image files
- NSLookupSymbolInModule – used for looking for a specific symbol
- Use NSAddressOfSymbol to find the address for the symbol
You can mitigate ransomware attacks with defenses by following these mitigation steps.
- Install apps only from the official software platform app store.
- You can protect privileged resources through limiting access.
- Make sure your web browser supports Microsoft Defender SmartScreen such as Microsoft Edge.
- Install the most recent versions of your applications and operating system to keep them up-to date.
- Make sure that you have Microsoft Defender for Endpoints installed on your Mac.
Secure Web Gateway, Web Filter Rules Activity Tracking and Malware Protection.