Ransomware Turtle on macOS: 360° investigation by expert Patrick Wardle

The cyber threat landscape has seen the advent of Turtle, a recently discovered ransomware targeting macOS users. Patrick Wardle, a well-known security analyst, conducted an in-depth study on the malware, highlighting its widespread detection by 24 variants of anti-malware software when reviewed on VirusTotal. Despite this, anti-malware definitions appear to be generically assigned, with labels such as "Other:Malware-gen" and "Trojan.Generic". Interestingly, in some cases it has been incorrectly classified as a specific Windows infection.

Turtle: a ransomware with cross-platform traits

Wardle's investigation highlighted the possibility that Turtle was originally conceived for Windows environments, and was then adapted to the macOS ecosystem. Detection by just one antivirus software as "Ransom.Turtle" may indicate the name used internally by the malware. Payload files targeting several platforms were discovered within the unzipped package, including Windows, Linux and surprisingly also macOS, which testifies to the attackers' intent to target a wide range of systems.

Not sophisticated but still dangerous

Turtle's code does not integrate a digital signature, which suggests that it may be blocked by the macOS Gatekeeper. It shows absence of obfuscation techniques within the ransomware binary. Turtle's technique to execute the ransomware includes reading the files in memory, encrypting them using the AES standard in CTR mode, followed by renaming the files with the "TURTLERANSv0" extension added. These operations involve overwriting the original content with encrypted data.

Importance of vigilance of Apple users

While Turtle's offensive capabilities still seem limited, its existence attests to the growing interest cybercriminals have in macOS. Wardle highlighted the presence of strings in Chinese in the analysis, indicating potential links to ransomware activity, but this is not considered conclusive in establishing the identity of the attackers. The threat posed by Turtle, while contained, highlights the importance for Apple users to maintain constant vigilance against emerging threats in cyberspace.