Expert Warns of Turtle macOS Ransomware

Pierluigi Paganini
December 01, 2023

Cybersecurity researcher Patrick Wardle has dissected the new macOS ransomware, Turtle, targeting Apple devices.

Cybersecurity researcher Patrick Wardle has published a detailed analysis of the new macOS ransomware, Turtle.

Wardle noted that since Turtle was uploaded to Virus Total, it was labeled as malicious by 24 anti-malware solutions, suggesting it is not a sophisticated threat. However, the malicious code was generally detected as “Other:Malware-gen,” “Trojan.Generic,” or “Possible Threat.” In some cases, the antivirus solution flagged the binary as Windows malware (“Win32.Troj.Undef”).

Experts speculate that the malware was first developed for Windows and then ported to macOS.

Only one AV engine detects the malicious code as “Ransom.Turtle” due to the internal name of the malware.

“If we download the archive and unzip it, we find it contains files (prefixed with “TurtleRansom”) that appear to be compiled for common platforms, including Windows, Linux, and macOS,” reads the analysis published by Wardle.

The malicious code is only signed adhoc, and Gatekeeper should block it, explains Wardle. The binary also lacks obfuscation.

The Turtle ransomware reads files into memory, encrypts them with AES (in CTR mode), renames the files, then overwrites the original contents of the files with the encrypted data. The malware adds the extension “TURTLERANSv0” to the filenames of encrypted files.

The malware is not sophisticated, however, the discovery of a macOS version for the Turtle ransomware suggests it is becoming popular in the cybercrime underground.

Wardle discovered various strings in Chinese, some of which are related to ransomware operations, such as “加密文件,” which translates to “Encrypt files.” However, the presence of these strings is not enough to attribute the malware to a specific threat actor.

“Today we dove into a new ransomware sample, internally dubbed ‘Turtle.’ And while in its current state it does not pose much of a threat to macOS users, it yet again, shows that ransomware authors continue to set their sights on macOS,” concludes the analysis.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TurtleRansom)


Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles