back to article Ex-NSA security expert develops generic Mac ransomware blocker

An Apple security expert has developed a free-of-charge standalone ransomware defense tool for OS X. Patrick Wardle, a former NSA staffer who now heads up research at crowdsourced security intelligence firm Synack, has built RansomWhere?, a generic ransomware detector. The utility works by suspending untrusted processes that …

  1. Adam 1

    the chicken or the egg

    The next ransomware will simply suspend the ransomwhere process or use simple social engineering tricks to get the user to uninstall ransomwhere.

    1. stizzleswick

      Re: the chicken or the egg

      Funny idea here... the ransomware might just encrypt the blocker's binaries, wait for the next reboot, then go on its merry way, since the app binaries are not stored inside user directories. So Ransomwhere would be easily encrypted (user-installed apps not being write protected nearly as well as Apple's bunch of cruft that comes with the OS) without itself noticing, making it unable to be loaded on reboot.

      So the ransomware blocker should probably also be looking in the Applications folder, at least.

      I do appreciate the effort here, but it looks rather half-assed to me.

      1. John Robson Silver badge

        Re: the chicken or the egg

        It's not as if he claims any particular self protection - in fact he explicitly says that anything designed against it would probably work...

        It's a first step, and should be an embarrassment to the current 'black list' discovery style of security software. It really is time that we had whitelists by default...

        1. Bob Dole (tm)

          Re: the chicken or the egg

          >>It really is time that we had whitelists by default...

          How do you propose implementing such a thing? By using a pop up to ask the *user* if it's really ok to install or run that program?

          Whitelists don't work because people can't be bothered to actually read the messages that do show up on their computer. Most people don't care what a pop up says, all they care about is which button they have to click to make it go away.

          So, John, who would you have creating the whitelists?

  2. Thomas Allen

    For Windows machines, look into CryptoPrevent by FoolishIT dot com.

  3. allthecoolshortnamesweretaken

    Mac users aren't ignored. It's just that they aren't a market yet.

    I can't tell if this is statistically valid, but all the Mac users I know (about a dozend, all of them working 'something in media' jobs, most of them freelance) still tell me something along the lines of 'Oh, I dont't need to worry about computer security, I have an Apple, that's only a problem if you use Windows' every time the topic comes up.

    1. Anonymous Coward
      Anonymous Coward

      That isn't exactly helped by organisations like LibreOffice only using a developer code for the main (US language binary), but generating language packs (such as en-GB) without it so you're either having to remain using US English, or hope that the site hasn't been infected and run an untrusted binary to update it to your own language.

      Not good, and not helping.

      I don't have any Microsoft or Adobe software on the machine which removes a sizeable chunk of attack surface, but I've never bought into the assertion that somehow an OS is safe because it's not Windows. I hear this of new Linux users as well, and they get rather annoyed when I ask them to prove it (hey, I'm a BOFH :) ). I recall the early days of Slackware where it wasn't even hard to root a box on remote :).

      Any platform can be made safe. The difference lies in how much effort and resources it takes to establish and maintain an acceptable level of security, and that story starts with the available competence. It makes no sense to promote Linux in an organisation that is wall-to-wall Windows, for instance, because you'd first have to analyse the cost of switching versus the expected benefits.

      It's not as binary a choice as some would want to portray it :).

  4. Anonymous Coward

    A new piece of OS X ransomware.

    Shouldn't that be 'computer' malware?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020