OSX Ransomware Offered for Sale in the Underground

Wednesday, February 10, 2016

Idan Aharoni


In the past several years, Ransomware has grown to epidemic proportions. Cybercriminals have learned that extortion works very well and have rapidly adopted this type of malware. For those who are less familiar with the term, a Ransomware is a piece of malware which encrypts important files on the victim's computer, such as pictures, Office documents, music files, databases (in case the victim is a software developer), and more. The victim has a limited amount of time to pay a ransom through Bitcoin or an alternative e-currency, or the files would remain encrypted and thus inaccessible forever. These nasty pieces of software have become so common place they have even reached mainstream TV, with shows such as The Good Wife dedicating an episode for the subject. Ransomware has been limited to mainly one platform, Windows, and has more recently also moved to mobile, specifically Android. Other operating systems, such as Apple's OSX, remained relatively safe. So far, OSX Ransomware has been limited to a Proof-of-Concept called Mabouia and a Ransomware-like scam which did not really affect any file. However, this era of relative security for OSX users is perhaps coming to an end.

A relatively new vendor on an underground marketplace is now offering a new type of Ransomware, dubbed "GinX". The ransomware seems fairly standard as far as Ransomware go. Once triggered, it encrypts files of the types mentioned above and gives the victim 96 hours to pay the ransom via Bitcoin. If the victim hasn't paid the ransom in time, the encryption keys needed for decrypting the files would be deleted, making sure access to the files is lost forever. What makes "GinX" relatively unique is that it does not only come in Windows-form, but also has an OSX version.

According to the vendor, the OSX version:

Comes in .app format and can have any icon associated to the application. Default icon is a Word Document. The file once double clicked does not throw any warnings. With Default Mac OS-X settings it opens and executes with no user prompts.

Once the file is executed it activates immediately and begins encrypting their files. This also can be set to a delay in minutes if required. Once the files are encrypted the target will be prompted that they have been infected with GinX RaaS along with instructions on how to make payment to get their files back. Just before the user is prompted it takes a picture via their internal webcam and displays it to the victim in the instructions file for added affect (Yes the webcam green light does come on). Default payment is required within 96 hours. After 96 hours has pass the files are no longer accessible. This prompt will appear once and once only.

From that point on the files are no longer recoverable unless they pay and use the decrypt file supplied after payment.

If the vendor's claims are accurate (more on that below), this would be one of the first cases where a "true" Ransomware, which encrypts files on the machine, is targeting OSX users. Not a Proof-of-Concept, not cheap Javascript tricks that appear like Ransomware, nor locking users out of their accounts after they've been taken over. If, again, the vendor's claims are to be believed, the fact that there are no warnings triggered when the file runs should be a cause for concern, as OSX does usually warn or prevent users from opening programs that were not approved by Apple. Furthermore, the vendor claims that this ransomware currently bypasses the detection of 50 Anti-Virus softwares, not uncommon for new malware on the market.

Yes both OS versions currently pass over 50 AV's at the time of this writing. Should they get flagged (eventually they will) efforts will be made to ensure they remain undetectable. This is a cat and mouse game and will continue to be. You should be able to get a month free of AV problems before running into issues. Again, this has so many variables it's difficult to predict when and how it will get detected. It's highly advisable to do short campaigns and quick cash outs to achieve the most from this product.

In the end we cannot guarantee it will remain undetected. We take no responsibility for that.

The Ransomware supposedly operates on all OSX versions and weights less than 2MB.


Note that Inteller has not obtained the malware and therefore has not investigated it. The vendor appears to be new on this particular marketplace and has yet to make any deals. In other words, we have not validated any of the vendor's claims. However, another vendor on the marketplace, one who has already been verified to be a trustworthy individual, has vouched for the Ransomware vendor.

[RANSOMWARE VENDOR] was a member of our team and I can vouch for him. He's professional and we've worked beside one another for quite some time.

I've had an opportunity to test this product on Windows 7 and 8 virtual machines as well on a MacBook pro OS-X Mountain Lion and Yosemite with success. Payments received appear to be processed manually by the team when you initiate a "cash out" of funds received from ransoms. Not sure if that's a positive or a negative but either way in "theory" this product will work. Not as automated as some other products out there but maybe this has less problems simply because of that.

The mentioned "payment processing" refers to another interesting aspect of the Ransomware - its business model. "GinX" isn't just being sold in the underground for a fixed price, but instead it is offered in the model of RaaS - Ransomware-as-a-Service. This business model, which has been pioneered by previous Ransomware "Tox", means that in addition to paying for "GinX", the buyer splits the profits from its operation with the developers. The vendor offer three possible plans - a 50-50 cut from the profits, with a down payment of $500, a 60-40 split with a down payment of $1000 or a 70-30 split with a down payment of $1500. In this way, the initial payment is much lower than what a new cutting-edge Ransomware may cost while the developers secure long-term revenue from their work.

As with all new products and innovations in the underground, it remains to be seen whether OSX versions would be adopted by criminals in future releases of Ransomware products. If the vendor's claims are true and the application can run without triggering any warnings even on the default settings of OSX, all it would take to victimize Mac users is social engineering. Considering many cybercriminals have already mastered the art of social engineering, "GinX" may become the criminal product that would popularize Ransomware on Macs.

About the Author: Idan Aharoni is the founder & CEO of Inteller, a leading provider of web intelligence solutions. Idan was the Head of Cyber Intelligence at RSA where he was responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Idan joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. In 2006, he founded the FraudAction Intelligence team, which he led until 2013. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team at RSA, Idan offers vast expertise into the underground fraud economy and how cybercriminals operate.

Possibly Related Articles:
Infosec Island Operating Systems Viruses & Malware
Ransomware malware GinX RaaS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.