The first instance of ransomware-as-a-service has been discovered on the Dark Web
Many macOS users thought they were safe from the fury of the ransomware attacks – after all, Apple enjoys a great reputation for security – but security researchers have found traces of ransomware provided through a ransomware-as-a-service (RAAS) portal.
As far as Windows systems are concerned, these ransomware-as-a-service attacks (RAAS) have been around for quite a while now. This is purely down to the fact that Windows is the most widely adopted OS globally. Granted, macOS offers a more secure platform compared to Windows OS, but contrary to popular belief, that doesn’t mean that the Apple systems are safe from threats. No system in the world is 100% secure and macOS is no different.
However, this is believed to be the first case of macOS being targeted via service portals on the Dark Web. The ransomware-as-a-service portal allows wannabe cyber criminals with limited or zero coding skills to attack systems and earn a quick buck. From far, it appears to be a highly lucrative option. Therefore, it wouldn’t even be surprising to see high school kids having a go at it. All these budding miscreants have to do is contact the author on the Dark Web, retrieve the malicious code and spread it via spam emails.
Once the files are encrypted, com.apple.finder.plist and the original executable are encrypted by MacRansom. Recovery tools prove to be useless as it alters the Time Date Stamp.
The victim is given 7 days to pay the ransom. They must pay 0.25 bitcoins (around $700) in one week or else the encrypted files will be destroyed. To get the files decrypted, MacRansom requires the victim to contact on an email ID. On receiving payment from the victim, the perpetrator must pay 70% of the money to the author and he/she gets to keep 30% as the profit.
Initially, this was considered to be a big, loudmouthed scam by the research team of security firm Fortinet. The “customers” had to contact the developer instead of downloading the malicious files directly. To get it uncovered, the Fortinet research team tried contacting the author by pretending to be a middle-man and astonishingly, they got a reply from the developer. They found the MacRansom on the web portal of TOR. It proclaims itself as the ‘the most sophisticated Mac ransomware ever.
Sophisticated? Not so much.
The MacRansom can encrypt only 128 files in one go using a symmetric encryption technique. This puts a significant restraint on its impact as well as on its magnitude. The researchers at Fortinet have described the attack to be far inferior compared to the prevalent ransomware attacks on Windows OS. However, ignorance is certainly not an option as it is still capable of encrypting valuable information.
It is not the only “service” posing a threat to the Apple users, either. MacSpy, a malware-as-a-service (MAAS) attack, is a piece of trojan spyware targeted at Mac users. MacSpy can be found by following the same process. The same developer is believed to be behind MacSpy.
The RAT free variant is used to keep tabs on the targeted computers. The cyber attackers record the activities of the user by employing tactics such as keylogging, voice recording, intercepting the data transferred to cloud storage and capturing screenshots periodically.
It is reported that a paid version of MacSpy is also there. However, it is still unclear how many bitcoins it costs. This version is said to cause a substantial amount of damage compared to the free variant. MacSpy is supposed to be in beta test mode and therefore, it is not widespread at this point.
Explaining the reason behind these so called “services,” the authors give credit to the rising numbers of users adopting Mac. Stating the reason for creating MacSpy as a service, they cite that there was an absence of “sophisticated malware for Mac users”.
At this point, these attacks don’t represent much in terms of their scale and severity but they might be the harbinger of the things to come.