This article is more than 1 year old

Ex-NSA security expert develops generic Mac ransomware blocker

RansomWhere? suspends untrusted processes

An Apple security expert has developed a free-of-charge standalone ransomware defense tool for OS X.

Patrick Wardle, a former NSA staffer who now heads up research at crowdsourced security intelligence firm Synack, has built RansomWhere?, a generic ransomware detector. The utility works by suspending untrusted processes that are encrypting files, a hallmark of ransomware attacks, before firing up an alert for users to act upon, as explained here.

Once such a process is detected, RansomWhere? will stop the process in its tracks and present an alert to the user. If this suspected ransomware is indeed malicious, the user can terminate the process. On the other hand, if it's simply a false positive, the user can allow the process to continue executing.

Right now there are only two pieces of working OS X ransomware publicly available, so we'll have to wait and see if RansomWhere? is capable of picking up future extortionware.

Wardle, who has done a lot of work highlighting and pushing for improvements in Apple's security defenses, developed his ransomware protection tool because, in part, it's the sort of thing that security software firms ought to be doing, but aren't.

"I'm really surprised there haven't been more discussions by the commercial security firms," Wardle told El Reg.

For what it's worth, MalwareBytes is working on a similar tool but it's Windows-only. "As always, Mac users seem to get ignored," Wardle added.

Wardle is open about the limitations of his RansomWhere? utility, which is at an early stage of development. For one thing, the tool is inherently reactive, so that "ransomware will likely encrypt a few files (ideally only two or three), before being detected and blocked," as Wardle explains. RansomWhere? only monitors users' home directories so malicious activity outside these directories may go unblocked.

Last, but not least, the protections offered by the tool might be bypassed. "If a new piece of OS X ransomware was designed to specifically bypass RansomWhere? it would likely succeed," Wardle warns.

More background on Wardle's research into Mac ransomware that led on to the design of the tool can be found in a blog post here. ®


The most serious Mac ransomware threat to date was KeRanger, which surfaced in March. KeRanger infected a legitimate build of Transmission, a BitTorrent client for OS X. The booby-trapped download was hosted on Transmission's official site, a method of distribution that allowed it to infect several thousand unsuspecting Mac users.

More about

More about

More about


Send us news

Other stories you might like