Former NSA security expert builds ransomware blocker for Mac

“Ransomware – malware that encrypts your data and then demands a fee to unlock the data – is on the increase,” Adrian Kingsley-Hughes reports for ZDNet. “A former NSA security expert has built a free, generic ransomware blocker for Mac.”

“The utility – called RansomWhere? – has been developed by Patrick Wardle, a former NSA security expert who now leads research at crowdsourced security intelligence firm Synack,” Kingsley-Hughes reports. “False positives are kept to a minimum because RansomWhere? explicitly trusts binaries signed by Apple (but not by Apple developers). It also trusts applications that are already present on the system when it is installed. This is a double-edged feature – on the one hand it helps reduce false positives, but on the other hand if ransomware is already present on the system before RansomWhere? is installed, it may not be detected.”

Kingsley-Hughes reports, “ZDNet has tested this utility and can confirm that it does detect and prevent the KeRanger ransomware from encrypting files.”

Read more in the full article here.

MacDailyNews Take: Reportedly this is thwart-able, so its efficacy is suspect.

Hacker promises to kill Apple Mac ransomware before it becomes a nightmare – April 20, 2016
Good news and bad news as ransomware comes to the Mac – March 17, 2016
Mac ransomware ‘KeRanger’ was ported from Linux, affected less than 7,000 users – March 9, 2016
Mac ransomware attack casts light on a booming shadow industry – March 8, 2016
Why you should stick with the Mac App Store for safer OS X software downloads – March 8, 2016
7 steps to protect yourself from over-hyped Mac ‘ransomware’ threat – March 7, 2016
Mac users targeted in first known OS X ransomware scam – March 6, 2016


  1. There is fake ransom ware for the Mac out. I’ve had two versions hit me. This makes it look as though you’re hit by it in the browser. There is a window that opens up with a long message stating something about a virus, etc, and giving phone numbers to call. You will not be able to use the browser, as you can’t close that page, or go anywhere else.

    The solution I found, because you can close the browser, it to go to the user library, go to the safari folder, and find a file called “last session.plist”. Delete that file, and open the browser. Everything will be back to normal.

    It took me about 15 minutes to figure that out. It can happen from almost any site with “drive by” malware. It’s really not as easy to write ransom ware for the Mac as it is for Windows. But don’t think it’s never going to hit you.

    1. I was just over at a friend’s house cleaning out his Chrome browser that had been thoroughly PWNed by a scam malvertising web page. He’d clicked what appeared to be a harmless link at Yahoo, of all places, and found himself click-jacked. He could not close Chrome without Force Quitting. There is no safe-boot option for Chrome (which is a stupid move by Google), so he was forced to endure the malvertisement all over again with EVERY Chrome boot.

      Sadly, my friend called the phone number included in the malvertisement, but thankfully (he says) gave away no personal information. Lucky.

      Google provides a ‘Cleanup Tool’ for Windows victims of these assaults, but NOT Mac victims. I had to manually dig into the Chrome folder in his user Library folder and delete his cache, Current Session and Current Tabs files to free his Chrome browser from hell. I may create an AppleScript to perform the same removal and distribute it.

      Clearly, Google’s ‘Safe Browsing’ blacklist requires an update. I’ll be sending them and the FTC the data I collected from the malvertisement.

      ∑ = Abuse of Mac users from malvertising and adware continues to be on the rise.

      The attitude from abuse rats is that since they can’t break into OS X, they’ll use forced social engineering as their attack vector instead. ZeoBIT and Kromtech, foisters of MacKeeper, have been pioneers in these attacks on the Mac platform.

  2. The NSA providing help to the people would be more suspect than the thwartability of the software. But he is “former”, so I call it good.

    If it works on the KeRanger ransomware that is already in the wild, who cares it they later thwart it? Use this until then, and maybe someone else will then have come up with a better solution.

  3. “RansomWhere has detected a ransomware malware attack on your Mac and paused its ability to perform. Please transfer 0.5 Bitcoin to this address to cancel this attack.”

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.