No sooner do I detail the tools available from Objective-See, than Patrick Wardle provides us with a new one, RansomWhere?, now available for download, and as free as his others are.
Generically, ransomware is malware which is designed to exort money from you. If you don’t pay its perpetrators, then it does nasty things to your Mac. The current crop of ransomware does this by encrypting the files on accessible drives, using a key which is known only to the perpetrators. Pay up – normally well over £/$/€ 100 – and you will be informed of the password, so that you can decrypt the files and use your Mac again.
This poses the insoluble problem of what to do. If you pay up, you should get your Mac back, but you will be encouraging the ransomware authors by rewarding them; if you don’t pay up, you face a great deal of time and work to recover your Mac and your documents before you can resume life as normal.
The best way to deal with ransomware is, of course, not to get infected by it in the first place. But malware doesn’t only affect those who cruise dangerous sites or use torrents: you could be exposed even if you are fastidious about the sites which you visit.
To date, most ransomware attacks have occurred on PCs, but OS X strains are around and it is quite possible that your Mac will be attacked. Until today, there wasn’t really a great deal that you can do apart from wiping everything and starting from scratch: ransomware is surprisingly difficult to detect until it announces its presence, by which time it is too late.
Objective-See’s RansomWhere? sits quietly in the background, watching for untrusted apps which are encrypting files in your Home folder. If it finds something suspicious, it pops up to let you know, as an alert. This informs you of the name of the task which is doing the encryption, and the files which were about to be encrypted. You are then given the option of terminating that task, or allowing it to run. If you allow it to run, RansomWhere? adds that task to its trusted list, and will allow it to run uninterrupted in the future – valuable when you do want to encrypt files.
One word of caution: if you want to use RansomWhere? to protect your Mac, you will need to leave it running before any ransomware attack. Once the ransomware is already at work encrypting your files, RansomWhere? is unlikely to be able to detect it and give you the chance to regain control.
I have been testing a beta version of RansomWare? for over a week now. Strangely I had just uninstalled it (to test that removal worked) when I was hit by scareware last Sunday, but very quickly re-installed it. There is no perceptible performance penalty, I experienced no false alarms, and it did not reveal any conflicts or glitches.
You can read more about ransomware, including an excellent history, and how RansomWhere? works, in Patrick’s article about it.