RansomWhere, the free ransomware detection tool for Mac OS X

Pierluigi Paganini April 21, 2016

The former NSA expert Patrick Wardle has designed RansomWhere, a free ransomware detection tool for the protection of Mac OS X systems.

The number of Ransomware-based attacks has risen in a dramatic way, every week the criminal underground community is presenting new threats with improved features that are causing significant economic losses to every industry.

Everyday security experts are detecting thousands of new ransomware samples, it is necessary a multi-layered approach to protect the systems from emerging threats. The traditional signature-based approach implemented by many antivirus solutions in many cases are not effective against a ransomware that rapidly changes.

Many antivirus vendors are improving their products by implementing behavior-based malware detection system, these solutions monitor for suspicious activities like the access to a large number of files, the use of encryption libraries, encrypting activities implemented by untrusted processes.

Now Mac users have a new defensive tool in their arsenal, it is a free generic ransomware detection tool dubbed RansomWhere.


The tool implements a behavior-based malware detection system specifically designed for ransomware, this means that it continuously monitors the file system for the creation of encrypted files by suspicious processes. The tool was developed by Patrick Wardle, a former NSA expert who now leads a research team at the Synack security firm.

“RansomWhere? detects and blocks ransomware by detecting untrusted processes that are rapidly creating encrypted files. This is inherently reactive; and as such, the ransomware will likely encrypt a few files (ideally only two or three), before being detected and blocked. ” Wardle explained in a blog post.

The RansomWhere tool allows users to rapidly block the processes that are performing suspicious activities, then users have to decide the action to do to protect their system.

The tool works on the concept of “Trust,” it scans Mac apps and binaries that are signed with an Apple Developer ID and not by official Apple certificates.

The expert highlighted that the tool is not effective if ransomware abuses a signed Apple binary. Another limitation is that the tool inherently trusts applications that are already present on the system when it is installed, this means that is the system is already infected  the malware could be not detected.

The expert demonstrated the efficiency of the RansomWhere against a number of threats, including the KeRanger and Gopher which is a proof-of-concept ransomware developed by Pedro Vilaca, last year.

The last limitation of the tool is that isn’t able to monitor activities on documents outside the user’s home directory, this means that sophisticated ransomware could move all the files outside the home directory and encrypt them.

Wardle highlighted the limitations of the tool explaining how it could be circumvented by attackers. The hacker Vilaca has already improved its PoC ransomware Gopher in order to deceive the monitoring operated by the RansomWhere tool.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – RansomWhere, ransomware)

you might also like

leave a comment