According to AppleInsider, a new ransomware called "Turtlerans'' has been found for macOS. While there's no need to panic, taking precautions and avoiding compromising your Mac is essential. Discovered by Objective-See, this ransomware works with Windows and Linux and has recently targeted macOS. Your Mac can likely block the attack, but if successful, Turtlerans follows typical ransomware steps such as reading, encrypting, renaming, and overwriting original files. Interestingly, it's relatively easy to decrypt. The concern is not immediate data theft but the focus on macOS.
"Turtle" Ransomware
A recently discovered sample of macOS malware is part of a growing trend of attacks on Apple's system, reflecting increased interest from malware producers. However, the current state of this "Turtle" ransomware suggests it's not a significant threat to the average Mac user.
Patrick Wardle from Objective-See conducted an analysis revealing that this macOS malware has all the ransomware components but only seems to pose a risk to those actively seeking to be infected. Its name, "Turtle," comes from the code written in Go. Internal references such as "Turtlerans" and "TurmiRansom," along with files labeled "TurtleRansom," made it straightforward to name this malware.
The sample's zip file analysis shows that the malware is designed for various platforms like Windows, Linux, and macOS. Surprisingly, the macOS .pkg files that were not packaged are executable for both Intel and Apple Silicon Macs. Furthermore, it was discovered that the malware was initially created for Windows and later adapted for macOS. Windows references led to a high detection rate of 24 out of 62 security vendors on VirusTotal within just two days, an uncommon occurrence for macOS malware to achieve.
Malware Testing
Upon examination of the malware, it was discovered that the code is signed, allowing it to run on macOS. However, because it's signed ad-hoc and not notarized, macOS Gatekeeper is expected to prevent its execution unless users explicitly allow it, though it might also be deployed through some form of exploit. Efforts to extract embedded strings were successful, as there were no apparent attempts to hide them. These strings revealed components for setting up a relatively simple ransomware structure. The encryption, done using a Go crypto/AES library, made it easy to retrieve the ransomware key with a strategically placed breakpoint. The same hardcoded key was also identified in the computer's memory.
Explaining the simplicity of the decryption process, Wardle notes that since AES is symmetrical and the key is hard-coded, it's straightforward to create and test a decryptor.
Apple Measures
According to the report, the average macOS user is unlikely to be affected by this particular macOS sample. Gatekeeper, a security feature, would typically prevent the malware from encrypting files unless users intentionally bypass the security step, which is an uncommon setup, or the malware is executed through another exploit. Apple has proactively implemented System Integrity Protection (SIP) and read-only system volumes to safeguard core OS files against ransomware attacks. Additionally, protections like TCC for user files in secure directories help limit the impact of ransomware. While most Mac users may not face significant risks from Turtle ransomware, its existence raises concerns, notes Wardle, and underscores the need for discussions on detecting and preventing such malware and attacks on macOS.
How To Protect Yourself From Turtle Ransomware
Staying safe from Turtle ransomware doesn't require much effort from users. Good computing practices are critical, like paying attention to Gatekeeper and other macOS security prompts, downloading software from trusted sources, and avoiding opening files from unknown email sources. Being cautious online can help protect most people from ransomware or other threats.
RELATED ARTICLE: Cyber Attack' Twitter, Netflix, Reddit, Spotify Down With New Weapon