Grab The Crown Mac OS

Grab The Crown Mac OS

May 30 2021

Grab The Crown Mac OS

by Joachim Suico (Threat Research Engineer)

2016 was the year when ransomware reigned. Bad guys further weaponized extortion into malware, turning enterprises and end users into their cash cows by taking their crown jewels hostage. With 146 families discovered last year compared to 29 in 2015, the rapid expansion and development of ransomware is projected to spur cybercriminals into diversifying and expanding their platforms, capabilities, and techniques in order to accrue more targets.

Indeed, we’ve already seen them testing new waters by tapping the mobile user base. We’ve also seen ransomware being developed for other operating systems, which are then peddled underground to affiliates and budding cybercriminals. Linux.Encoder (detected by Trend Micro as ELF_CRYPTOR family) was reportedly the first ransomware created for Linux systems; it targeted Linux web hosting systems through vulnerabilities in web-based plug-ins or software such as Magento’s. In Mac OS X systems, it was KeRanger (OSX_KERANGER)—found in tampered file-sharing applications and malicious Mach-O files disguised as Rich Text Format (RTF) documents.

Their common denominator? Unix: a multiuser, command-line OS that employs a unified filesystem and simple but robust tools, like shell and command language, to perform intricate tasks. Its flexibility and popularity among programmers enabled it to have different flavors, including Linux and Mac OS X.


Figure 1. Similarities in encryption library of Linux.Encoder (top) and KeRanger (bottom); both use ARM mbed TLS, which provides SSL/TLS and cryptographic capabilities to applications


Figure 2. Similarities in the function names of Linux.Encoder (left) and KeRanger (right), possibly indicating malware rewrite; function logic reoccurs on both samples

Laying the Groundwork?

While both infect systems via methods typical in Windows ransomware, their arrival vectors are mostly non-user-centric due to the nature of Unix. While Linux.Encoder exploits security flaws, KeRanger was notable in its theft of legitimate Apple certificates to bypass Gatekeeper, a security feature that enforces code signing and verification of downloaded software. But based on their similarities in packer, structure, encryption library, function names, and ransom notes, KeRanger can be surmised as a recompiled version of Linux.Encoder.

Our analysis of these ransomware also revealed how they are just precursors, and ultimately, an indication of what’s to come for Unix ransomware. KeRanger, for instance, has an unused function that’s supposed to encrypt/delete OS X’s Time Machine, a feature designed as a backup utility in Mac computers. Linux.Encoder, spawned by an open-source ransomware project, underwent several updates in an effort by its developer to fix flaws in the malware’s encryption routine. It left a slew of infected Linux servers in its wake, with its third version infecting over 600 servers worldwide.

While Unix ransomware may still be experimental, we’re starting to see where they’re branching out and what capabilities they use to hit more targets and maximize profit. This is reflected by the emergence of other families that target Unix-like OSes such as Linux and Android. These include KillDisk (RANSOM_KILLDISK.A), Rex (RANSOM_ELFREXDDOS.A), Encryptor RaaS (RANSOM_CRYPRAAS.B), KimcilWare (RANSOM_KIMCIL), Svpeng (ANDROIDOS_SVPENG), and Koler (ANDROIDOS_KOLER). In fact, Linux ransomware already saw development as early as 2014 with the appearance of Synolocker (RANSOM_SYNOLOCK). CryptoTrooper (RANSOM_CRYPTOTROOPER) and PHP Ransomware (PHP_CRYPWEB)—like Linux.Encoder—demonstrated how open-source projects purportedly designed for educational purposes can be weaponized.

Rectangle Capture can be used at any walks of life especially important for business and education. Use captured images to show off your dazzling Mac desktop to your peers, promote your products on the web, enhance technical documents, illustrate a concept to students and insert screen snaps to enrich your blogs. In macOS Mojave and above, the Screenshot app replaces the Grab app from earlier versions of macOS and Mac OS X. When you press Command+Space keys and type in “Grab”, it now brings up the new ScreenShot app that was introduced with macOS Mojave. You can use CMD+Shift+5 to open the new Screenshot app. If you have a Mac with a Touch Bar, capture that by pressing Command+Shift+6. MacOS screenshot You can capture an image and save it to the clipboard by adding Control to any keyboard shortcut you use. This retail focus allows Crown MAC to closely follow industry trends that may impact your financial needs. With this understanding, Crown MAC can efficiently help you reach your business goals. At no cost to you, a Crown MAC representative will perform a preliminary financial qualification prior to your loan application process.

Is Unix a Lucrative Market for Ransomware?

So why Unix? Is it a viable target for smash-and-grab, off-the-shelf threats like ransomware? While market share and user count can be a factor, the difference also lies in architecture. Software in Unix-like systems like Linux, for instance, are either compiled from source or vetted repositories. Their permissions model also makes it difficult for executables to run with privileges required to access and encrypt files. While Windows’ User Account Control (UAC) can limit software to standard user privileges—unless an administrator authorizes it—many users readily allow programs to make changes in the system. Additionally, many organizations are inclined to grant its end users administrative access to their workstations. Nevertheless, Unix is not foolproof. It only takes one remote code execution or procedure call vulnerability—or a socially engineered email—for ransomware to slither its way into the system.

Unix ransomware may still be exploratory, but it is a credible threat that raises significant security challenges, given Unix’s ubiquity—from servers, workstations, web development frameworks, and databases to mobile devices. Enterprises across various industries, including IT services, education, healthcare, finance, retail, media, and manufacturing, are powered by Unix-based machines. Linux systems, for instance, are a mainstay for many hosting and storage service providers, and are often used to manage various websites simultaneously from multiple clients. Organizations like data centers also rely on Unix-based systems as platforms that run applications handling mission-critical operations—including their upkeep.

Mitigation and Best Practices

With ransomware, system management for IT administrators and information security professionals is always in a race against time—their organization’s business contuinuity, reputation, and bottom line are at stake.

Linux system administrators must avoid or beware of adding unverified, third-party repositories; as users with appropriate privileges can still install them even if Linux keeps a central repository for package downloads. To mitigate threats that don’t use privilege escalation exploits, permissions should be restricted to users. Though root login is disabled by default, users may perform actions if granted admin privileges, so system/IT administrators should also limit adding users to the sudoers (administrators) group.

Privilege separation in Linux greatly enhances security by limiting the modifications a program can make to the system. Regular audits and hardening can also help reduce the system’s attack surface, such as minimizing running services or disabling unwanted services. Usage of Linux security extensions is also recommended for misconfigured programs. These extensions enforce mandatory access control policies that manage the extent of access of programs to files and network resources, which help confine damage triggered by malicious or misconfigured programs. Installing intrusion detection systems, performing continuous monitoring, and inspecting suspicious entries in logs also help in early detection of attempts and actual attacks against the system.

Apart from keeping systems up-to-date with the latest patches, and regularly backing up important corporate assets, enterprises must ensure their perimeter is secured. System administators should also be on the lookout for suspicious files, applications, processes, and network activity usually leveraged by ransomware. Users and businesses can also benefit from a multilayered approach to security that covers the gateway, endpoints, networks, and servers.

Trend Micro Ransomware Solutions

PROTECTION FOR ENTERPRISES

  • Email and Gateway Protection

    Trend Micro Cloud App Security, Trend MicroTM Deep DiscoveryTM Email Inspector and InterScanTMWeb Security addresses ransomware in common delivery methods such as email and web.

    Malware Sandbox
    Document exploit detection
Grab
  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Application Control
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Malware Sandbox
  • Server Protection

    Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.

    Vulnerability Shielding

PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS

Grab The Crown Mac Os X

  • Protection for Small-Medium Businesses

    Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.

    IP/Web Reputation
  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    Ransomware Protection

Grab The Crown Mac Os 11

This has been presented in the RSA Conference as “Not UNIX to Windows Anymore: A First in a Booming Ransomware Industry” on February 13, 2017, in San Francisco, California.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:

Grab The Crown Mac OS

Leave a Reply

Cancel reply