
New Mac ransomware spreading through piracy - 1915cb1f
https://blog.malwarebytes.com/mac/2020/06/new-mac-ransomware-spreading-through-piracy/
======
b212
Apple puts so much pressure on security, shouldn't it be possible to block
ransomware somehow on the OS level, possibly on all platforms?

I mean not many apps need to modify millions of files on all drives including
network drives and dongles... It should be fairly easy to spot, something
like:

1\. If xxx wants to modify more than 50 files in 24 hours go to 2.

2\. If some of the files were modified more than a week ago or if the files
are in directories across multiple drives go to 3.

3\. If some of the files are images/documents it's a no go, prompt user to
accept and list the affected files.

I'd love something like this for my Synology, it's connected to my Macbook as
a network drive and I store my backups there, if anything modifies these files
without my knowledge I'm doomed. I need to access some of my backups on daily
basis so it's kinda hard to disconnect te drive all the time :/

~~~
aj3
Windows 10 has just what you describe:
[https://www.bleepingcomputer.com/news/microsoft/how-to-
enabl...](https://www.bleepingcomputer.com/news/microsoft/how-to-enable-
ransomware-protection-in-windows-10/)

Of course, bad guys still can 1) create encrypted copy and delete originals
instead of modifying files in place; 2) disable protection alongside with A/V
and proceed as usual; and my favorite 3) rely on built-in disk encryption
mechanisms and simply overwrite encryption keys & salts.

~~~
vladvasiliu
> Windows 10 has just what you describe [link]

I've looked into this, but it feels limited to me. It's all or nothing. I
can't have App1 only access Documents and App2 only access Pictures. Once I
give any one app access to the "protected folders", it has access to all the
protected folders.

~~~
jstanley
You should check out Qubes OS. [https://www.qubes-os.org/](https://www.qubes-
os.org/)

All applications run inside a VM, and you set up different VMs for different
tasks. The windows are all composited onto one seamless desktop environment,
with the colour of the window decorations telling you which VM it's in. You
can copy and paste between the VMs with a special keyboard shortcut, and you
can manually copy files between them as well, but otherwise they have no
access to each other.

If you open some ransomware in one VM, it can't touch (or read, or know of the
existence of) any of the data in other VMs.

~~~
gentleman11
How is usability? It’s a very appealing model but it sounds confusing

~~~
aj3
It's great at what it does. Much more useful than I expected, feels more
thought out than some commercial alternatives.

XEN Virtualization with their custom X-passthrough driver is super fast as
well. No hardware acceleration of course, but it didn't feel choppy at all. As
long as you have enough RAM (I'd say 16GB at least), it works pretty much like
bare metal (even though there are several VMs running in background at all
times for network, fw, usb, etc), way faster than Spice, VNC, RDP or
Virtualbox (talking about UI not number crunching).

------
peterburkimsher
Has anyone tested whether this can be detected with RansomWhere?
[https://objective-see.com/products/ransomwhere.html](https://objective-
see.com/products/ransomwhere.html)

It's a program that warns me whenever programs are locking files. In practice
it's a minor annoyance when using brew or pip. Similarly, Oversight tells me
when my camera and mic are being used. [https://objective-
see.com/products/oversight.html](https://objective-
see.com/products/oversight.html) It's a minor annoyance whenever I have a
video call and plug in a microphone. But it's "for my protection", and
sometimes can be useful to know whether it's really my sound settings that are
the problem, or that my headphones are unplugged. These two also seem more
trustworthy than anti-virus for Mac, because they don't claim to keep me safe,
just warn me when there's a problem.

~~~
_underfl0w_
I'd be very curious to audit the codebase for the tools you mentioned.

~~~
peterburkimsher
I'd be very curious to read your review!

------
cpach
I don’t understand how people dare to run executables downloaded from a pirate
site...

~~~
AnthonyMouse
> I don’t understand how people dare to run executables downloaded from a
> pirate site...

Pirate sites have reputations the same as anybody. The more reputable ones
actively remove spam and malware.

So it's kind of like saying, I don't understand how people dare to run
executables downloaded through the internet. Depends a lot on where on the
internet you downloaded it.

~~~
Polylactic_acid
I'm on several private torrent sites and I still wont run software out of a
VM. The problem is the users are trusted but unless they packaged the crack
themselves they don't even know if there is malware bundled in. Its easy to
verify that audio or a book is high quality but verifying software is next to
impossible.

~~~
philliphaydon
One of the things I miss in Windows 10 I don't have on Ubuntu is 'Windows
Sandbox'. It's great for testing software out. It loads pretty much instantly.

~~~
heavyset_go
Look into Firejail.

[https://firejail.wordpress.com/](https://firejail.wordpress.com/)

~~~
aj3
There are so many ways to escape Firejail, that no one should seriously rely
(solely) on it for security. Please, just use proper virtualization for trying
shady software/suspected malware.

------
Jerry2
_Play stupid games, win stupid prizes._

If you cannot afford Little Snitch or don't want to pay for it or just prefer
open source, install LuLu. It's a free and open source alternative to LS
application firewall. [1] You can install it through Homebrew or download
binaries manually [2].

[1] [https://github.com/objective-see/LuLu](https://github.com/objective-
see/LuLu)

[2] [https://objective-see.com/products/lulu.html](https://objective-
see.com/products/lulu.html)

~~~
sillysaurusx
Am I the only one who uses piracy to explore new technologies? For example, I
pirated ZBrush and spent about a month learning it. At that point I felt I had
invested enough time / gained enough skills to justify buying a full license,
if I ever need to do more 3D modeling.

I had the same experience with Visual Studio back in the day (aka Visual C++
6.0; fond memories...), and of course photoshop.

It’s a stupid game, but quite a personal growth vector.

~~~
tomc1985
This is why a lot of software houses don't come down _too_ hard on individual
pirates -- they often become your fans and they might result in business in
the future. It's like selling concerts and merch as a musician.

Since software dev isn't the domain of lifelong nerds anymore I don't think
most folk are as understanding or knowledgeable about the positives of piracy
(or related issues around software freedom or the economic properties of
digital data), hence your unfortunate downvotes.

It's a shame... there are many of us who would not be where we are today, as
productive, value-creating citizens, without having learned our trade with
pirated software.

~~~
sillysaurusx
Exactly. I remember begging my mom for Visual C++ 6.0 from eBay for $60 whole
dollars when I was like 12, because I had heard that’s what real gamedevs use,
and I was determined to become a real gamedev. It’s weird... you can trace
that moment to present, and her saying “yes” or “no” would have dramatically
changed my economic outcome.

Piracy is a wonderful equalizer in that regard. Companies have every right to
come down on piracy, but it often works against you if your software is a
tool.

~~~
asciident
What did she say? Don't leave us hanging...

~~~
sillysaurusx
She said yes :) I owe a lot to that decision. It's also helped me understand
what "privilege" is – many, many parents would have been like "no, now go do
your homework." (I wasn't a very good student.)

But, for example, Visual Studio 2003 Architect Edition was so expensive that I
think it was a few thousand dollars at the time. Piracy enabled me to learn
that, too. And surprise surprise, when I got into the gamedev industry, that
was what they used.

From Microsoft's standpoint, it was nothing but benefit: in addition to adding
+1 productive programmer to the world, the piracy also caused me to become
something of a Microsoft evangelist, similar to Carmack. It helped me
appreciate a good IDE back before Webstorm made it a reality for Javascript.

Of course, that eventually led to discovering Emacs (or rather being forced to
learn it due to a twist of fortune) and then evolving into my bearded open-
source devil form... Now if only there were an Emacs equivalent for 3D
modeling and music, I'd be happy as a clam. Blender is great, but it just
can't compete with ZBrush.

EDIT: By the way, I was _delighted_ to discover that Photopea
([https://www.photopea.com/](https://www.photopea.com/)) is a completely free,
browser-based alternative to Photoshop. It has almost an identical UI, and it
does 100% of what I need out of photoshop. We've been paying the $35/mo
creative suite license, but I imagine lots of people still pirate it.

~~~
jackson1442
If you're wanting desktop software, Affinity[0] sells one-time-purchase
licenses for their Photo, Designer, and Publisher software. I've never used
Photoshop/Illustrator and generally do rather light work when I do need to
edit/design, but I've been very happy with my purchase. Each license is $50,
and the recently went on sale for $25 (but that's over now).

[0]: [https://affinity.serif.com](https://affinity.serif.com)

~~~
saagarjha
(I cracked those back in high school and then purchased them because they were
so good…)

~~~
jackson1442
Exactly what I did.

------
nisten
I really appreciate you reporting this, and understand that it's too late now
but you should try to keep your source anonymous in a cases like this in case
they get bad publicity where they live.

~~~
dewey
Why would they need to keep a source anonymous if they mentioned them in a
public tweet?

[https://twitter.com/beatsballert/status/1277557875888533504](https://twitter.com/beatsballert/status/1277557875888533504)

I'd assume they wouldn't post the full name if someone sends them a private
email.

~~~
nisten
It's a psychological matter, the more increased publicity the higher the
likely hood of an illogical backclash against the person, especially if they
live in places where the rule of law doesn't protect them well.

~~~
dewey
The likelihood of a person getting in trouble for posting information about a
badly written malware in some pirated copy of a software seems very slim. It’s
not like they are exposing some nation state’s surveillance plan.

~~~
nisten
They could be screwing over a local company that developed the malware and,
it's just good journalistic practice in general to protect your source.

------
Wowfunhappy
They only want $50 to decrypt the files?

I wonder if they actually decrypt the files for that amount or if they demand
more. I keep backups, but if I somehow got hit by this, I think I'd pay the
$50 to avoid losing the few days of work. (I'd have a bit of an ethical
quandary about it, but I'd still probably do it if I'm being quite honest.)

~~~
donmcronald
What? You have to start from scratch to trust the machine again, don’t you? So
if you’re pulling backups anyway...

~~~
skoskie
This. The whole network and everything on it are getting nuked. And due to the
delay these things have, you have to assume the backup may restore the
malware.

Everything gets a clean install and only non-binaries get restored from
backup.

~~~
Wowfunhappy
> Everything gets a clean install and only non-binaries get restored from
> backup.

I can do that more easily if I don't loose ~2–3 days of work though (or
whatever amount of time has passed since the last offline backup). Even if I
need to manually go through the documents so that only non-binaries are
restored, just having them would _probably_ be helpful.

I don't know, I guess it depends a lot on the actual situation: what I was
working on at the time, etc. But that $50 price tag seems alluring.

------
hedora
Someone emailed me my password from two decades ago, and said they were going
to ransomware my box, but that my porn habits were so uniquely interesting
they just had to make a collage including screenshots and pics from my webcam
(in the attached pdf, presumably). They’ll delete it for $1500 BTC, which is
really a steal if you think about it.

Is there a chatbot I can point at this chucklehead?

> _I really want to pay you BTC, but my computer says bit torrent was made by
> an unverified developer. I called my bank, and they said to ask what other
> ways you can accept payment. Do you know what a “Wire Transfer” is? We’re
> saving up for our first house, so I have the money and Ashley won’t miss it.
> Is $2000 OK? Please please please don’t out me!!!_

And then I want it to send a dozen more of these until the scammer gives up or
sends it bank account info.

~~~
stordoff
I had someone try that on me about a year ago (shortened as it was a _long_
email):

> You probably noticed your device is acting strangely lately. That's because
> you downloaded a nasty software I created while you were browsing the
> Ƿornographic website...[...] If you do not do what I ask you now, I will
> upload this ugly video file with you ... and the stuff you were watching to
> several video upload sites and I will send the links to all your friends,
> family members and associates.[...] I think 2,000 USD is a fair price for my
> silence. I know you can handle to send me this money - and it is enough for
> me to get lost. So how do you send the cash?? Bitcoin.[...]

> Ok.. so what if you decide not to pay ? Well if you want to test my patience
> - go on. I will destroy your social life, you can count on that. You think
> that visiting Police is a good idea ? Nope. I don't live in your country and
> I know how to stay Anonymous. I will send the compromising video to everyone
> you know! Just send me the 2,000 USD and we forget about the whole thing. I
> have family to feed too.[...]

> The time starts ticking after you open this letter (I included a pixel in
> this message and I will know when you read it).

Oddly enough, nothing ever happened.

~~~
djxfade
I received the exact same template mail. They had also included an old
password that I presume was leaked in the Adobe hack or something. Didn't
really feel worried though, cause on my device (a MacBook Pro with the T2
security chip), it's physically impossible to enable the webcam without the
status LED getting activated.

~~~
culturestate
_> it's physically impossible to enable the webcam without the status LED
getting activated_

People put way too much trust in webcam LEDs. Not because they don't work or
could be bypassed, but because it's super easy to just _not notice it_ if it
only comes on for a split second. It doesn't take much time to grab a single
frame; maybe you've been staring... _intently_...at the screen and get tunnel
vision, or you just look away, or whatever.

Even if the LED was forced to light up for half a second before and after the
camera became active as a sort of safety interlock, what's the average user
gonna do with that information if it's unexpected? Panic and close the lid?

I'm not _super_ paranoid about this but I'm just paranoid enough that I use
Oversight[1] and manually approve whichever app is asking for access at the
time. You can do this halfway natively in Catalina, but as far as I know it's
binary - either the app has access or it doesn't, you can't set it to ask each
time.

1\. [https://objective-see.com/products/oversight.html](https://objective-
see.com/products/oversight.html)

------
jiux
Riddle me this:

I wonder what ROI would look like in comparison if the schemers targeted
$49.98.

------
crobertsbmw
It sounds like whoever wrote this malware is just as crappy as a programmer as
I am. Reassuring, I guess.

------
Shared404
> However, Chrome will see that the files have been modified, and will replace
> the modified files with clean copies as soon as it runs, so it’s unclear
> what the purpose here is.

The programs mentioned run in background almost continuously, right? If the
malware modifies these, couldn't they execute it themselves so they could have
a non-suspicious looking process?

------
numbsafari
Admins should fix the link title. It should read "New Mac ransomeware
spreading through stupidity".

Installing pirated software you find "on the internet" in 2020 is the
equivalent of spending a few hours in a confined space full of other people,
none of them wearing masks. Don't be surprised when you get sick.

------
sys_64738
Couldn't you run the Mac equivalent of a Windows Sandbox to restrict access if
you had concerns about an app?

~~~
Kejistan
You can `sandbox-exec`. But that probably wouldn’t be useful for a program
like little-snitch, which needs rather broad permissions normally.

~~~
jldugger

             The sandbox-exec command is DEPRECATED.  Developers who wish to sandbox an app should instead adopt the App Sandbox feature described in the App Sandbox Design Guide.  The sandbox-exec command enters a sandbox

~~~
Wowfunhappy
Does it work though?

~~~
comex
It works, but you have to supply your own sandbox profile (list of
allowed/denied operations) and it won’t create a virtual home directory for
you like App Sandbox does. I’m not sure whether there’s an easy way to
forcibly enable App Sandbox, but one possibility is to compile your own
sandboxed app that simply execs the untrusted one. (Sandboxes are inherited by
child processes, as they must be for security.)

------
pgt
It seems to me that the way to solve the encryption ransomware problem is to
impose an immutable file system at the OS level + undo for X time and to ask
for permission to write files outside a regular folder, just like microphone
or screen share access.

~~~
joshvm
The problem is that people will often grant that kind of access, particularly
to pirate software. For example modification of hosts files (to prevent
phoning home) is generally something that lives in /etc which requires sudo to
edit. OS X will refuse to run most unsigned software anwyay, unless you
explicitly allow it. Though that could (should) be in parallel with some kind
of sandboxing.

------
qwerty456127
> Worse, the installer package was pointlessly distributed inside a disk image
> file.

Pirate torrent tracker forum rules often demand every single Mac app uploaded
must be encapsulated in a DMG disk image file.

------
JaggerJo
Thumbs up. Pay for your damn software.

------
aronpye
You tend to get what you pay for.

------
margorp2019
just try

------
fortran77
Why are these people trying to steal "Little Snitch" software? That's not
right, either. There are no clean hands here.

~~~
lostgame
As Little Snitch is a tool often used for the _purpose_ of blocking cracked
apps from calling home, it should come as absolutely no surprise that Little
Snitch itself often ends up pirated.

14-15-year-old me whose parents would not allow me to use their credit cards,
along with the thousands like me in that situation; either have the option to
pirate Little Snitch alongside whatever else they are pirating; most likely to
learn how to use; or not pirate and learn at all. Piracy is a non-option for a
lot of people in this critical age group who still have a great drive and
initiative to learn.

Blocking people like this out, stopping them, or shaming them; is stomping on
our future.

~~~
sukilot
Huh? If an app depended on remote authorization, why wouldn't it simply
disable itself after a grace period?

Also, piracy of proprietary software hurts free software, which is means it is
worse existential harm to computing than not having access to Photoshop.

~~~
comex
> If an app depended on remote authorization, why wouldn't it simply disable
> itself after a grace period?

Because some people still use computers without internet connections –
especially users of “pro” applications (widely defined, e.g. anything made by
Adobe), which are some of the most commonly pirated applications. I can
confirm from experience that cracks telling you to prevent the program from
connecting to the Internet are a thing.

------
varelaz
Viruses & malware is the price of software piracy. If you don't have money to
pay for the soft, you need to be ready to be infected with all possible
consequences. It was obvious decades ago when piracy become a business. I
understood piracy 10-15 years ago when price of the soft was too high for
Russia comparing to US. Right now most everything is subscription based and
you pay only if you get enough from it, and usually regional prices are pretty
sane.

~~~
mratsim
Even if you pay, software are packed jammed with telemetry that reports on
every single thing you do (Windows 10, Amazon Alexa, Siri ...) under the
pretext of "convenience" and "improving experience".

~~~
varelaz
I'm not talking about free soft at all, it's completelly separate universe. If
you choose paid soft: as for me, if you steal it you are at risk. Also you can
always setup firewall and block certain type of requests. Sometimes you can
even disable telemetry if that's supported.

