26. June 2016 Security 3

Ransomware. You’ve probably heard it mentioned recently as some pretty big targets fell victim to it and though rare, the Mac has been targeted as well. A few months ago ransomware named KeRanger was found to encrypt user files and when successful the victim had to pay $400 to have their files unlocked or lose the data forever.

This wasn’t the first and definitely won’t be the last. So how do you protect yourself? Unfortunately antivirus is probably the least effective in detecting and stopping this type of malware. For an antivirus to detect this immediately it needs to use true heuristics, which no Mac AV does. By the time it gets a signature update to recognize it, your files may already be encrypted and it’s too late.

Of course not opening suspicious files goes a long way, not visiting any shady websites generally helps too (though any website can hand out malware through compromised ad networks and other connections it makes) and of course having a solid backup in place in case things do go south is always a good idea. Then I came across RamsomWhere? (question mark included in the name) and it sounded to be exactly what I was looking for:

“By continually monitoring the file-system for the creation of encrypted files by suspicious processes, RansomWhere? aims to protect your personal files, generically stopping ransomware in its tracks.”

The creator is Patrick Wardle from Objective-See and I have mentioned him before in regards to another great utility KnockKnock. So I had to see what this was all about. Mind you I have not pitted this utility against actual ransomware so knowing if it truly works remains to be seen but I did make a few observations.

The utility can be downloaded here, that page will also explain how it works, how to install it etc.

Once installed I noticed high CPU usage (normal behavior) and once it was done establishing itself CPU usage dropped so low it’s using less resources than any other app or process. Then I just sat back and forgot about it after a few days. There is no menu bar or dock icon, no application that’s always on to remind you everything is ok. Just a process that runs in the background. Then one morning I woke up to a notification from Carbon Copy Cloner, it had failed to perform a clone. I walked to my Mac and noticed RansomWhere? had blocked CCC as it attempted to encrypt some files. So it worked! I allowed CCC to encrypt the files it needed to encrypt and RansomWhere? has respected my choice ever since. Another warning I got was for Plex Media Server which apparently does some light encryption on/in it’s own database.

These two examples along with Patrick’s quality work in the past has made me a believer in this utility. Again, until it thwarts some actual Ransomware it’s hard to say if this will make a good line of defense. The website is also very clear on the software’s limitations.

Still I think it’s worth installing as it does not take any noticeable resources and well, it’s yet another layer of defense and one can never have enough of those.

Have a look at the above mentioned link and also check out his other products which include; KnockKnock, Lockdown and Dynamic Hijack Scanner. These tools are all free so if you think they can help you (or have helped you in the past), consider making a donation so we can keep seeing these awesome utilities in the future as well.

3 thoughts on “Ransomware”

  • 1
    noar on June 28, 2016 Reply

    Hi. Glad to have you back!
    Funny to read you vouch for a security product because it has false positives 🙂

  • 2
    Jay on June 28, 2016 Reply

    Hi noar! It’s no different than any AV recommendation I’ve made in the past, they all have false positives at some point. I’ll take that any time though if the product works 🙂

  • 3
    Mark on March 16, 2018 Reply

    Installed RansomWhere? and it is showing RansomWhere_Installer in dock. I understand it should not have an icon in the dock. Do you think it may not have finished installing? it’s been over a half hour.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.