Breach, Content, Malware, Security Program Controls/Technologies

Apple Mac Malware, Ransomware, Spyware Reappears: Five Takeaways

What we knew but were hesitant to say out loud about Apple Mac OS X (aka macOS X) malware has reared its menacing head: Security specialists Fortinet and AlienVault have uncovered two new variants of malware specifically targeting Apple’s Mac systems, one ransomware and other spyware.

Both companies have MSSP-centric partner programs, so it's a relatively safe bet vendor alerts about the malware have reached their respective managed security services providers.

Fittingly, the malware authors have dubbed the ransomware MacRansom and the spyware MacSpy. The two new strains, said to be the work of the same hacker, have been offered for free on the Dark Web for about two weeks, according to Bleeping Computer.

It’s one of the still rare but certain-to-multiply instances of Mac-targeted malware--and just the second Mac-aimed ransomware discovery, with the first, called KeRanger, showing up more than a year ago. The news is likely to shake up Mac users and raise some eyebrows of MSSPs.

Here are five takeaways to consider:

Fortinet’s Aamir Lakhani
Fortinet's Aamir Lakhani

1. The perpetrators are turning as-a-service on its ear: Owing to its small market share, the Mac has been largely bypassed by cyber criminals. There’s just not enough volume out there to make it worthwhile is the thinking. But what about scale, asks Aamir Lakhani, a Fortinet senior cyber security researcher, in a June 12 blog post.

“Rather than targeting lower-value devices or systems one at a time, cybercriminals have begun building malware ‘franchises’ that allow wannabe criminals to sign up to leverage pre-built technology to target potential victims in exchange for sharing profits on the back end,” he wrote.

That’s the potential profit mechanism of the newly discovered as-a-service MacRansom--the opportunity to make money through cyber-extortion without creating their own malware. In that regard, the potential windfalls are limitless.

2. The Mac is becoming a tasty target: Lots of C-suite executives and top management use Macs. IT security often complains that those users aren’t as likely to button up their devices as others in an organization, making them a good target for cyber extortion.

Combine that with the development of new hacking tools aimed at multi-platform software and you’ve got issues.

“While it may take lots of work to target Mac OS, attackers can create attacks using something like Python, which runs on multiple platforms, and which is loaded by default on all Macs. And ransomware may not even need special privileges to operate on a Mac system,” said Lakhani.

3. Look for development of more Mac malware solutions: The obvious downside of MacRansom and MacSpy is the extensible danger each poses. The opportunity--to put it in the best possible light--is we are likely to see accelerated development of new Mac malware solutions.

"MacRansom is yet another example of the prevalence of the ransomware threat, regardless of the OS platform being run," Fortinet said in a separate blog. "There are no perfect mitigations against ransomware.”

Additionally, inasmuch as AlienVault has MSSP relationships, we may see the company more aggressively discuss Mac-centric malware solutions for MSSPs. It’s certainly something to watch for. In the more traditional MSP market, RMM (remote monitoring and management) software providers like Autotask, ConnectWise, Continuum, Kaseya and SolarWinds MSP increasingly offer Mac-centric monitoring tools. Those tools typically integrate with endpoint security options from Webroot and other MSP-friendly companies. But we don't know if specific MacRansom and MacSpy preventive measures are in place.

4. Awareness is still the best deterrent: For now, neither piece of malware can get past macOS' Gatekeeper security function without triggering a user alert, Laptop reports.

But that could change as the malware gets more sophisticated, or if someone figures out how to trick users into installing the malware.

As with malevolent code targeting Windows machines, the same precautions are true for the Mac. If your system is hijacked or infected, you can minimize the hit with regular backups of critical files and not opening attachments or emails from unknown sources or developers. And don’t forget to update your systems with the latest software patches.

5. Popularity breeds contempt: For Mac users, brushing this off, in case you’re tempted, wouldn’t be a good idea. While the Mac’s relatively small market share compared to Windows PCs make it less lucrative for cyber crooks, it’s clearly not impenetrable and well, ransom is ransom.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.