RansomWhere? – Free Detection Tool for OS X

Ransomware has gotten a lot of attention in the news recently with businesses and hospitals paying thousands of dollars in Bitcoins to recover their systems.  While OS X has generally been immune from virus and malware attacks, it was just recently that the KeRanger ransomware was found in the Transmission Bit Torrent application installer. Now there’s protection for your Mac with RansomWhere?.

What is Ransomware?

For those not familiar with it, ransomware is a type of program that infects your system and secretly encrypts all of the files on your hard drive.  When you boot up your computer, you are presented with a message requiring you to pay an amount, usually in Bitcoins, (the ransom) to get your data unlocked.  Refuse to pay within a stated time limit and your hard drive will be erased.

While many Mac users have Time Machine on an attached external hard drive, a ransomware process can not only encrypt your internal hard drive but also your Time Machine files leaving you no way to recover your system.

The good news (if you can all it that) is that upon payment, the hackers do provide the key needed to unlock your system.  They do that to keep the revenue stream flowing since people would stop paying the ransom if they didn’t get their data back.

By some estimates, hundreds or even thousands of new ransomware files are being released every day which makes it difficult for conventional anti-virus programs to update their virus signature files quick enough to catch the ransomware before it’s too late to save your data.

RansomWhere? To Protect Your Mac

Patrick Wardle, a former NSA staffer who now leads research at bug hunting outfit Synack, has developed the RansomWhere? tool, which aims at detecting and blocking generic ransomware on Mac OS X by regularly monitoring the user’s local filesystem for the creation of encrypted files by any process.

This free tool attempts to generically prevent ransomware from taking hold of your data, by detecting untrusted processes that are encrypting your personal files. Once such a process is detected, RansomWhere? will stop the process and present an alert to the user.

RansomWhere? alert

If this suspected ransomware, is indeed malicious, the user can terminate the process. On the other hand, if it’s simply a false positive, the user can allow the process to continue executing.

Installation of RansomWhere? is straightforward.  You can download the application zip file here.  Once you expand the file, double click on the application icon to begin the installation process and you will get a window with the option to Install the application or Cancel it.

RansomWhere? Install

In order to continually monitor the file-system for encrypted files, RansomWhere? requires system privileges and will requests a password (via a standard authorization prompt) during installation.

That’s all there is to it.  You won’t see anything different about your system.  There are no icons in the menu bar and nothing in the Application folder (although we put the program icon in our Application folder for future reference).  You pretty much have to take it on faith that RansomWhere? Is sitting quietly in the background doing its thing.  That said, every time the application starts, it reads the file ransomwhere.json, which contains the latest version number of RansomWhere? and checks to see if a later version is available.  Other than these version checks, no information is collected or transmitted and, RansomWhere? has no other networking code, nor makes any other network connections.

Should you ever decide you no longer want RansomWhere? on your system, you can simply rerun the original application file (which is why we put it in our Application folder) and this time will be presented with an Uninstall option.

RansomWhere? Uninstall

RansomWhere? is not perfect, nor does it claim to be as the following are known issues:

  • RansomWhere? would not be able to help if any Ransomware malware abuses Apple-signed file or app.
  • RansomWhere? detects ransomware infections after they have already encrypted some of your important files.
  • Files outside of your home directory are not protected by RansomWhere?. So sophisticated ransomware could shift all your files outside home directory and lock them up.

That said, we are not aware of any other application that is designed to protect against ransomware on a generic basis, without the need to continuously update signature files.  Also keep in mind that this is a 1.0 release so further improvements may be coming.

 The Bottom Line

When it comes to anti-virus software on a Mac, people have two very different opinions.  There is the group that believes OS X is super safe and doesn’t need anti-virus software.  They will often share stories about anti-virus software that caused more problems than it helped.  Then there are those that say, you can’t be too careful and always have anti-virus software running on their Macs and update the virus signature files religiously.

Regardless of which position you support, we believe Ransomware presents a completely different level of concern that needs attention, beyond the more common anti-virus software.

We installed the RansomWhere? application a few days ago and haven’t seen any negative impact to our system and intend to continue to let it run to provide the extra level of protection it is intended to provide.

What is your opinion on anti-virus software?  Do you use it and if so, which one do you use?  What are your thoughts on ransomware?  Do you plan to install the RansomWhere? application?  Why not join the conversation and leave a comment below with your thoughts.

If you liked this article, please consider sharing it with your friends and leaving a comment below.

Also, don’t forget to “Like” us on Facebook and “Follow Us” on Twitter.


I agree to have my personal information transfered to MailChimp ( more information )
Subscribe to Apple Tech Talk and received a free Mac Keyboard Shortcuts Guide by email.
We hate spam. Your email address will not be sold or shared with anyone else.
Print Friendly, PDF & Email
Share this post.Facebooktwittermail

Leave a Comment