I was researching ransom ware recently, and one of the solutions that both academic researchers and people working in anti-malware product labs told me would help prevent such attacks was a way to prevent unknown software from launching on your computer.
Ransomware works in “userspace,” or the set of documents and applications that a user has permission to run and modify, rather than requiring special permission to dig down into the system level like more insidious hijacking malware. It doesn’t even typically require remote interaction. Once the payload is installed through some subterfuge—as simple as convincing someone to install a Trojan Horse—ransomware starts encrypting user files. Double-click an encrypted file, and you’re told how to pay a ransom to get the decryption key.
There are millions of variants of ransomware derived from many dozens of distinct code families, because the malware is so easy to obtain, modify, and distribute. Some changes merely tell someone to pay (via Bitcoin) to a different address, while others may contain different code.
But what everyone I spoke to suggested is that a desktop operating system shouldn’t simply run any application that launches without alerting the user, nor any additional behind-the-scene programs—Unix utilities and the like—that it might spawn. (Another way to discover ransomware at work is to monitor for specific unusual file behavior, like a single program opening massive numbers of files with disparate file types.)
Most people only routinely run certain applications on a regular basis. Something new only comes when you install new software or upgrade an operating system. Apple cryptographically signs its apps and lets developers sign theirs, distributed through the Mac App Store or directly to users. Those signatures both verify an app and identify it uniquely behind its visible name.
While OS X almost always requires that you enter an administrative password to use a software installer, apps that can be dragged from a disk image or download directly and launched only alert you that they haven’t been run before or if the app hasn’t been signed by Apple-provided developer certificate. (See this recent column for more details on signed apps.)
Without using parental controls on an account, there’s no way to keep any arbitrary app from launching, especially when the software separately launches command-line utilities or scripts invisibly. This is why Santa coming to town could be a big help in layering in additional protection.