Microsoft has recently revealed information on the four different ransomware families, i.e. KeRanger, FileCoder, MacRansom, and EvilQuest that are apparently impacting Apple macOS systems.
These ransomware families first spread through what the Windows makers refer to as "user-assisted methods," in which the victim downloads and sets up trojanized software.
Besides, it may also show up as part of a supply chain attack payload or as a second-stage payload delivered by already-existing malware on the attacked host.
"While these malware families are old, they exemplify the range of capabilities and malicious behavior possible on the platform," said the tech giant’s Security Threat Intelligence team, in a Thursday report.
Regardless of the approach of attack used, the attacks follow a similar pattern in which threat actors use legitimate operating system features and vulnerabilities to gain access to the computers and encrypt important documents.
This includes the use of the Unix operating system, along with library functions like opendir, readdir, and closedir in order to enumerate files. Microsoft mentioned another approach, but the ransomware strains did not use it, says the NSFileManager Objective-C interface.
In an attempt to thwart analysis and debugging efforts, malware such as KeRanger, MacRansom, and EvilQuest have also been seen to employ a combination of hardware- and software-based tests to establish whether the malware is operating in a virtual environment.
KeRanger utilizes an approach known as delayed execution to evade detection. It achieves this by sleeping upon its launch for three days before resuming its destructive operations.
While KeRanger uses AES encryption in cipher block chaining (CBC) mode to accomplish its objectives, FileCoder uses the ZIP programme to encrypt files. On the other hand, both MacRansom and EvilQuest use a symmetric encryption technique.
Moreover, EvilQuest, which was first detected in July 2020, includes various trojan-like functions, such as keylogging, compromising Mach-O files by inserting arbitrary code, and disabling the security software, in addition to the standard ransomware features.
Additionally, it has the ability to run any file directly from memory, effectively eliminating any evidence of the payload from the disk.
"Ransomware continues to be one of the most prevalent and impactful threats affecting organizations, with attackers constantly evolving their techniques and expanding their tradecraft to cast a wider net of potential targets," Microsoft added.