This is despite the common belief that the macOS is less vulnerable to infection than Windows or Linux. While it may be true that Apple’s control over every aspect of its hardware and operating systems may make the macOS inherently more secure, the relative lack of malware and ransomware on macOS to date can largely be attributed to the much smaller market share of macOS vs. Windows PCs.
With macOS representing less than 20% of the market (vs. 75% for Windows), a ransomware attack against macOS is simply less likely to be as profitable. As a result, fewer ransomware software packages have been developed and discovered that are macOS-specific.
Most ransomware on macOS to date has resulted from users installing pirated software that’s been modified to covertly install the malicious software. ThiefQuest (also known as EvilQuest), first detected on macOS in summer of 2020, was packaged with pirated versions of popular software, including the Little Snitch security software, Mixed In Key DJ software, and the music production software Ableton. ThiefQuest includes both spyware and ransomware.
Besides showing the user a ransom note that demands payment, it also logs the user’s keystrokes, searches the infected host for passwords and cryptocurrency wallet data, and gives the attackers a back door to the host computer.
Malware has also been found in macOS Xcode developer tools. For example, XcodeSpy disguises itself as Xcode’s Run Script functionality. When unknowingly run by a developer building their own software project, it installs a back door on the computer that can be used for command and control of the operating system.
What makes this flavor of malware so dangerous is that it can execute what’s known as a “supply chain attack” by spreading through shared projects in public code repositories and potentially infecting every software application that uses the shared code.
So, if you think you’re safe from ransomware simply because you use a device running macOS, think again.
With more business and personal computing being done on our phones than ever, ransomware on mobile devices is also increasing in frequency.
Unlike with desktop computers, however, most ransomware on Android and iOS doesn’t block access to files by encrypting them, but rather makes the entire mobile device unusable.
This type of ransomware is known as locker ransomware, or screenlockers. For example, the AndroidOS/MalLacker.B ransomware, once activated, displays a screen containing a ransom note over every other window.
Much ransomware on mobile devices is fake. A website or app may display a notification demanding payment, but the attackers have no ability to encrypt or disable the device. Clearing the browser cache and history usually returns the device to normal operation.
App stores provide a level of security on mobile operating systems that isn’t available on desktop and server operating systems. Apple has strict approval processes and security checks for apps, and only allows iOS apps downloaded from its app store to be installed.
Android gives users the ability to allow apps to be installed from any source. As a result, ransomware on Android is much commonly spread through fake apps downloaded from third-party sites. One such example is the Kolar ransomware, which was disguised as an adult-themed app, which, when installed, gains control of the device and presents the user with a ransom demand.
Jailbreaking (on iOS) or rooting (on Android) is the process of modifying the operating system to allow the user to have administrator access. Once jailbroken or rooted, the user can install any third-party apps, which makes it much easier for ransomware to infect iOS, in particular.
It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!