New Ransomware, Spyware Turns Attention to Mac OS Security Firms Say | eWeek

Mac Malware Installs Ransomware, Spyware, Security Firms Say

ransomware
Written By
Robert Lemos
Robert Lemos
Jun 13, 2017
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Mac users need to beware of two new malware-as-a-service threats found on dark web sites—one focused on spyware-as-a-service and the other focused on ransomware—which target the macOS platform with new criminal cyber-attacks, according to researchers at AlienVault and Fortinet, both which announced their analyses of the services on June 9.

The new Mac spyware, straight-forwardedly named MacSpy, uses Tor for communications, records keystrokes and audio, and can capture a screenshot every 30 seconds, according to AlienVault. Another service, found by network-security firm Fortinet and dubbed “MacRansom,” offers some of the same features, along with encrypting a victim’s files in a ransomware-as-a-service model.

The attacks suggest a trend in targeting Macs, Aamir Lakhani, senior cyber-security researcher and practitioner with Fortinet and FortiGuard Labs, said in a statement sent to eWEEK.

“Mac ransomware is definitely becoming bigger,” he said. “Although market share is still small, hackers know that there is valuable data on the Mac. This has led to development of more Mac hacking tools.”

Apple has long touted the relatively safety of its macOS platform, making the lack of viruses a central focus of a light-hearted series of commercials between 2009 and 2012. While Macs have been hit with occasional attacks—most notably in 2012 when the Flashback trojan infected some 600,000 computers—very few malware variants specifically target the platform.

For example, even with a more than seven-fold increase in Q4 2016—a jump due to adware being bundled with some software—Mac users only encountered about 350,000 new variants, about 1.5 percent of the 23 million new malware samples encountered by Windows users, according to data from Intel’s McAfee Security.

In addition, Mac malware tends to not be as mature as its Windows brethren. MacSpy demonstrates uneven technical sophistication, for example. While the malware’s developers don’t offer an automated signup service, they have enabled some anti-analysis features, such as measures designed to prevent researchers from starting up the software in a debugging environment, AlienVault researchers said.

“In addition to the anti-debugging countermeasures, MacSpy contains checks against the execution environment that can make it difficult to run in a virtual machine,” the company stated in its analysis.

MacRansom includes similar measures, as well as the ability to encrypt files. But keeps a critical code component in memory, which means that if a Mac is restarted after encryption, then the key is deleted and the data becomes nearly impossible to decrypt.

“Even if it is far inferior from most current ransomware targeting Windows, it doesn’t fail to encrypt victim’s files or prevent access to important files, thereby causing real damage,” Fortinet stated in its analysis.

While malware developers and cyber-criminals overwhelmingly target Microsoft’s Windows platform, both Fortinet and AlienVault argue that the two programs show that more attention is being paid to Macs.

It’s not a question of which platform is more secure, Eddie Lee, senior security researcher with AlienVault told eWEEK, pointing out that “Windows has a lot of notifications if you are trying to install unsigned applications,” just like Mac OS X.

“In terms of platform security, I would not say Apple is more secure than Microsoft,” he said. “The attackers just go after the larger user space.”

The two programs have some odd similarities. Screenshots of the feature descriptions of both services use the same layout and styling and uses the same wording for the “Deniability” feature. Both analyses show that the developers use the ProtonMail service.

When asked about the similarities, AlienVault researchers confirmed that they thought the same group was likely behind both MacSpy and MacRansom. “We believe they are the same authors,” Lee said. “Website and text were about the same.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.