Threats 101
Ryan Berg
Mar 2016

How Ransomware Will Evolve Next: A Barkly Malware Research Chat

Photo by Source


In this week’s chat, the Barkly malware research team looks at the latest developments in ransomware — from the first full-fledged ransomware for OSX to the arrival of new virus-like ransomware and more.

The Team:

  • ryan (Chief Scientist)
  • rick (Principal Malware Researcher)
  • forrest (Malware Researcher)
  • matt (Malware Research Co-Op)
  • This chat's special guest: jack (Co-Founder and CTO)

You Like Apples? Ransomware Now Targeting Macs

ryan: It’s been a while gang, and a lot has been happening in the news with regards to ransomware. Specifically, it seems like there has been some recent noise about ransomware on Macs. Can someone chime in on what the hubbub is about and whether I should be concerned?

rick: That’s right. The first full-fledged version of ransomware for OSX popped up. A BitTorrent app was bundled with a ransomware that would encrypt Macs. Palo Alto dubbed it KeRanger: 

Macs have been gaining a larger and larger market share for years, which has made them an increasingly appealing target for malware writers. So because they are now a common target, that also means they will be subject to the latest trends for Windows, which right now is ransomware. Most recently, the KeRanger malware has been spreading on macs and selling the users’ own encrypted data back to them.

rick: KeyRanger encrypted various files including documents, images, videos, archives, source code emails.

matt: KeRanger also attempts to encrypt the Time Machine backup files, which would almost guarantee a payment from a lot of users who probably use Time Machine as their be-all, end-all backup solution.

ryan: But, wait, don’t Macs have a built-in protection mechanism (Gatekeeper) that is supposed to prevent rogue software from being installed? How did this one make it through?

rick: Apple was able to minimize the impact with GateKeeper. For those unfamiliar with Gatekeeper, it’s a blacklist Apple can push out to stop known malware from spreading. Apple has continued to push their walled garden approach to computers to encourage users to download their apps from the App Store.

ryan: A walled garden where anybody can join as long as they know the password. Whispers: “the password is ‘password.’”

rick: In order to get an application on your device, they need Apple’s blessing. That’s one way Apple was able to control the spread of the malware. It revoked the certificate and added the malware on the deny-list.

It’s a nice security feature, but at least with computers, it can be bypassed by going into the security settings.

forrest: Similar to Android, one of the popular strategies on Macs is to put a logic bomb into a legitimate looking piece of software. A logic bomb is a hidden condition/trigger inside of a program which can execute some extra code (unrelated to the program it is hiding in) at a certain time/date or when a remote attacker gives a signal.

So then it is just a matter of tricking users to go and specifically seek out this logic-bombed software and run it themselves. Sometimes it isn’t even known that some legitimate looking software actually has malware in it for a long time. Take a free video game app, for example. Or in this case, a BitTorrent client.

ryan: It looks like taking legitimate software isn’t the only tactic. It boils down to taking the trust (signed developer certificates) and really just using that implied trust to implant malicious software:  

forrest: @ryan: That’s true, and this is actually a tactic which is now used on Windows, as well. Some advanced threats will use stolen certificates in order to bypass the signing mechanisms protecting the Windows kernel. For example: Cyberspies Stole Digital Certificates to Mask Their Malware

Duqu 2.0 nation-state attackers used pilfered Foxconn hardware driver certs to sign spying malware that hit negotiators in Iranian nuclear pact discussions, Kaspersky Lab, and now an ICS/SCADA hardware vendor. So this is another trend which is starting to spread from Windows and Android and over to Macs, bypassing the security mechanisms put in place that rely on trust.

ryan: I am honestly afraid with all the talk about encryption that in a world where everything is encrypted we are forced to more blindly trust things sight unseen. Shouldn’t there be a discount for that (tongue planted in cheek)?

rick: Even though Apple did have a swift response to KeRanger, the company is increasingly becoming a larger target for malware. Did you know Apple had the most reported vulnerabilities in 2015? 

ryan: So security companies have been saying it’s only a matter of time before more malware hit Macs for years. Is this more the boy who cries wolf or are we really reaching a tipping point?

rick: The tipping point is a function of affected users (aka marketshare). It’s growing, but Windows remains a bigger target. Writing malware takes effort, and malware authors would rather target 90% market share of Windows XP->10 than just the 6-10% OSX holds. Windows ransomware really seems to be where the real money is right now for attackers.

matt: Agreed. As more people and companies switch to using Apple products, malware authors will likewise switch to writing malware for Mac products. But until then, it just isn’t as profitable.

forrest: That’s true that Windows has a larger market share and is a more profitable platform (in general) to target, but I think it’s also worth keeping in mind that there are many wealthy individuals and organizations that use Apple products. Considering their price compared to Windows, I think it would be fair to say that it’s a group of people very appealing to criminals to target for identity theft. There is an affluent demographic of users on these products with potentially a lot of money to be stolen.

ryan: I mean, take a walk on any college campus these days and keep track of the amount of Apple hardware you see. It’s like counting trucks in Texas.

forrest: The persistent denial on the part of Apple for many years that there is any potential security risk to using their products gives the false impression that something like this new KeRanger ransomware is particularly unusual or surprising, when in reality there have been many malware writers and organized crime groups targeting Macs for a long time now to steal personal information, credit cards, etc.

This just represents the inevitable spread of a popular trend on Windows — ransomware — to Macs.

rick: As a result, VirusTotal recently started keeping track of specific OSX malware and Android malware.

Factors Contributing to the Rise of Ransomware


Photo by: Daniel Rubio

ryan: Why is ransomware the new game in town? It seems every week there is a new variant, a new platform, a new you-name-it being reported about it.

jack: The ransomware/Bitcoin combo makes it a really simple way to monetize attacks.

rick: And keep it anonymous. I’ve heard some ransomware asking up to $500 to unlock your files.

jack: Hollywood Presbyterian Medical Center paid $17,000.

rick: If someone stole my laptop today, the most valuable thing on it wouldn’t be the hardware, it would be the files, especially my photos.

matt: It’s also hard to maliciously use credit card information these days. Credit card companies have gotten a lot better at recognizing suspicious activity and then calling/freezing the card. Stealing all that information doesn’t help if you can’t use it.

jack: The Economist had a great piece on ransomware in January of last year: Your Money or Your Data: Dick Turpin Rides Again — As a Digital Highwayman 

They monitored one smaller ransom-taker’s (Bussoleno) Bitcoin transactions — $109,400 in just eight days. Of course, then you have the FBI in the US saying, “Just pay the ransom.”

rick: Bitcoin makes it difficult to investigate, especially if it’s not a major ransomware family. Actually, some early ransomware families have software vulnerabilities to make it easy to recover files without paying for ransom, but they generally fix the vulnerabilities and make it harder to recover.

ryan: Hmm, a scary thought when the next device attackers could target is in your car driving down the highway at 80mph. Or when you’re walking to get some coffee with your recently updated pacemaker.

jack: Great point, Ry. Most people think of ransomware as focused on content, but as Hollywood Presbyterian learned, it can also disable systems until the ransom is paid. Very tough for a $2M/day hospital to have services shut down for 10 days.

matt: The FBI saying to pay the ransom is essentially telling malware authors they should drop what they’re doing and start writing ransomware. “Hey, if you do this, we are telling people to pay you."

rick: Exactly! We’re seeing the evolution of ransomware, as well. Linux, Android, MSIL (.NET based), and even polymorphic virus-like ransomware like VirLock.

forrest: There are a lot of situations in which paying would make sense. You can imagine a scenario where a student on an OSX laptop just finished their final project for the semester and gets it encrypted by ransomware. The price of re-taking the class, or possibly even not graduating, is much more significant than a few hundred bucks in ransom payments.

The same could be said for a company about to release a product who will miss their deadlines if they do not get their data back. The trend is definitely here to stay, although I’m sticking to the idea that this is not a surprise we now have ransomware for Macs. When the next big malware trend arrives, we can expect it to appear on Macs as well.

rick: You’re assuming college students have money! Well, they do have disposable income but it usually goes towards Spring-Break-related activities.

ryan: Who says the students are the ones with the money? I have one in college and I know where that buck stops.

The Evolution of Ransomware: Does VirLock Represent the Next Stage? 


Photo by: screenpunk

rick: We’re seeing the evolution of ransomware, as well. Linux, Android, MSIL (.NET based), and even polymorphic virus-like ransomware like VirLock. @forrest.williams: Didn’t you recently look at Virlock?

forrest: VirLock represents the evolution of Ransomware in the direction it will need to move in order to increase its profits and take its attacks from a granulated form (a single machine in a company/office) to a larger scale where an entire office will be ransomed all at once. They’ve combined traditional parasitic virus techniques, infecting the user’s files with malicious code with their Ransomware payload.

This means that users sharing infected files on USBs or over a repository in an organization would quickly all have their machines locked and ransomed. It also makes the infection significantly harder to remove.

rick: A friend of mine was recently playing with VirLock and he accidentally encrypted his USB drive and network office shares….oops.

ryan: I still get USBs given to me and feel somewhat dirty every time I plug one into my machine.

forrest: I think in the future, there will be even more emphasis on these kind of parasitic/ransomware attacks and also worm attacks, which will target the entire local network with ransomware. What the malware writers are aiming for is to create a situation which is as stress-inducing and potentially catastrophic as possible so that they can demand a higher ransom.

rick: At the same time, one of the beauties of ransomware is the relative low-cost of entry and the ability to remain anonymous if you run below the radar. Doing network-wide attacks, especially at large networks, will generate a lot of attention. The FBI is telling users to pay the ransom because they don’t have the resources to investigate every mom-and-pop ransomware popping up. They do have the resources to investigate the really large network breaches.

jack: I just wrote an article for VentureBeat on that analysis. As ransoms go up (and they will, because they are disrupting high-value, high-dollar businesses), there will need to be a move to blunt the effectiveness of the ransomware, so that “writing ransomware” or leveraging one of the DIY ransomware platforms, will require higher investment and better technology to succeed in actually breaching machines.

ryan: There appears to be “no-cost” of entry with the ransomware-as-a-service offerings, just a willingness to break the law. 

 RaaS: "Plug and play with your bitcoin wallet address”

jack: A good model for the authors. They take 20% off the top.

forrest: We’ve seen worms in the past that will go in to your email and send messages to all of your contacts trying to get them to download/run an important program or document. The impact of this combined with ransomware in an office (what if the CEO sent a ransomware program to all of his employees?) is the direction this type of criminal wants to move things. It’s relatively low-cost to create and simple to profit from an  as urgent and devastating a scenario as possible. 

ryan: The phishing attack that recently hit Snapchat made it appear as if their CEO was asking for W-2 info, so we’re already not far off. Add an excel macro to that email requiring updates and blamo.

What about Locky? That’s another new family of ransomware that has quickly made a mark for itself. This recent article highlights the “advancements” it represents in ransomware techniques. @forrest.williams what was this all about?

forrest: In regards to the article calling Locky an “advancement” in ransomware techniques I actually don’t think it is particularly game changing. Ransomware is becoming enough of a trend that it is starting to appear in lots of different languages. The fact that it has appeared in Javascript doesn’t represent anything special, especially not from a behavioral protection point of view. From where we’re standing, the ransomware is still doing the exact same thing.

rick: One interesting thing to look at with the shift towards ransomware is Dridex (in fact, we had a previous Malware chat about this). The Dridex botnet, which used to focus primarily on credential theft and has been spreading banking Trojans for years, is now spreading ransomware with a totally changed profile.

Credit cards are becoming a worthless commodity, banking credentials are quickly becoming worthless as the financial community embraces 2FA…the Dridex malware authors are basically saying “there’s no money in banking credential theft, let’s focus on ransomware."

It’s a great example showing where the malware community is going.

forrest: With the level of time, effort, and development/innovation going in to such banking products, and with ransomware proving to be such a profitable industry, I could easily see very high levels of sophistication in ransomware soon. Finding GitHub, local repositories, even backup services and external hard drives.

After all, we have seen banking malware become so sophisticated that it has specific code written for each and every major bank/web browser, which will hide the money that has been stolen from your account from you when you log into your bank account.

Also, unlike banking malware which relies on keeping a very low profile and targeting individual users, Ransomware opens up possibilities for bringing back old methods like virus techniques and worming, which can hit large organizations and spread faster.

Whereas banking worms remain uncommon, I don’t think ransomware worms will remain undiscovered for very long at this rate. VirLock represents a first step in this direction.

rick: I’m definitely waiting for the ransomware that looks for GitHub, Dropbox, and Box accounts and starts encrypting those.

ryan: With the economics of ransomware where they’re at and the experts telling you to just pay up it seems we have a really big gap that needs to get filled. Are shares in backup companies going up? What advice do we have to give?

jack: Ransomware is almost wholly distributed through end user mistakes. As a result, the awareness of those users and the protection of their systems has got to be step one. Awareness to help them make less mistakes and protection to help them out when they do.

ryan: Gang, based on what’s at stake I think it’s time to get back to work, but it sounds like we’ll be discussing new ransomware developments again soon.

If anyone has a topic they would like to see discussed here just send a note to @barklyprotects.

Catch Up with Our Previous Malware Chats

Ryan Berg

Ryan Berg

Ryan is Chief Scientist at Barkly. He holds multiple patents and is a popular speaker, instructor, and author in the fields of security, risk management, and secure application development.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.