Microsoft has make clear 4 completely different ransomware households – KeRanger, FileCoder, MacRansom, and EvilQuest – which can be identified to impression Apple macOS programs.
“Whereas these malware households are outdated, they exemplify the vary of capabilities and malicious conduct doable on the platform,” the tech large’s Safety Menace Intelligence staff said in a Thursday report.
The preliminary vector for these ransomware households entails what the Home windows maker calls “user-assisted strategies,” whereby the sufferer downloads and installs trojanized functions.
Alternatively, it may well additionally arrive as a second-stage payload that is dropped by an already present malware on the contaminated host or as a part of a provide chain assault.
Regardless of the modus operandi employed, the assaults proceed alongside related traces, with the menace actors counting on official working system options and exploiting vulnerabilities to interrupt into the programs and encrypt recordsdata of curiosity.
This contains the usage of the Unix discover utility in addition to library capabilities like opendir, readdir, and closedir to enumerate recordsdata. One other methodology identified by Microsoft, however not adopted by the ransomware strains, entails the NSFileManager Goal-C interface.
KeRanger, MacRansom, and EvilQuest have additionally been noticed to make the most of a mixture of hardware- and software-based checks to find out if the malware is operating in a digital atmosphere in an try to withstand evaluation and debugging makes an attempt.
KeRanger, notably, employs a way often known as delayed execution to flee detection. It achieves this by sleeping for 3 days upon its launch earlier than kick-starting its malicious capabilities.
Persistence, which is important to making sure that the malware is run even after a system restart, is established by way of launch agents and kernel queues, Microsoft identified.
Whereas FileCoder makes use of the ZIP utility to encrypt recordsdata, KeRanger makes use of AES encryption in cipher block chaining (CBC) mode to realize its objectives. Each MacRansom and EvilQuest, then again, leverage a symmetric encryption algorithm.
EvilQuest, which was first exposed in July 2020, additional goes past typical ransomware to include different trojan-like options, corresponding to keylogging, compromising Mach-O recordsdata by injecting arbitrary code, and disabling safety software program.
It additionally packs in capabilities to execute any file straight from reminiscence, successfully leaving no hint of the payload on disk.
“Ransomware continues to be probably the most prevalent and impactful threats affecting organizations, with attackers consistently evolving their methods and increasing their tradecraft to solid a wider internet of potential targets,” Microsoft stated.