Adversaries may be creating ransom notes on macOS systems to signal the start of a ransomware attack, indicating potential data encryption and extortion. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of ransomware activity and mitigate impact before encryption occurs.
KQL Query
union DeviceFileEvents, DeviceProcessEvents
| where Timestamp >= ago(7d)
| where ProcessCommandLine has "say \\\"Your files are encrypted\\\" waiting until completion false"
id: fbe63fdf-142f-4b0a-b73e-8f16aaf46be7
name: ransom-note-creation-macos
description: |
This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware.
As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform.
The query below can detect the creation of a ransom note according to the typical methods of EvilQuest operators. The command the query searches for is associated with, but not definitely indicative of, EvilQuest infections.
Other queries related to EvilQuest ransomware can be found under the See also section below.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- DeviceProcessEvents
tactics:
- Impact
query: |
union DeviceFileEvents, DeviceProcessEvents
| where Timestamp >= ago(7d)
| where ProcessCommandLine has "say \\\"Your files are encrypted\\\" waiting until completion false"
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Maintenance Task Using rsync
Description: A system administrator uses rsync to back up user home directories to a remote server as part of a routine maintenance task.
Filter/Exclusion: Check for rsync commands with destination paths in known backup directories (e.g., /Volumes/BackupServer/), and exclude processes with sudo or root privileges that match standard backup scripts.
Scenario: Scheduled Job for Log Rotation
Description: A scheduled job (e.g., via launchd or cron) runs a script that compresses and archives log files, which may involve file creation and renaming patterns similar to ransomware.
Filter/Exclusion: Exclude processes associated with log rotation tools like logrotate, or filter by command-line arguments that include known log directories (e.g., /var/log/).
Scenario: User-Initiated File Encryption for Testing
Description: A developer or user encrypts a test file or directory using a legitimate encryption tool like gpg or openssl to simulate secure data handling.
Filter/Exclusion: Exclude processes that include gpg, openssl, or other encryption utilities, or filter by command-line arguments that include test directories (e.g., /tmp/test-encrypt/).
Scenario: macOS Disk Utility Operations
Description: An admin uses macOS Disk Utility to repair or reformat a disk, which may involve file system operations that mimic ransomware behavior.
Filter/Exclusion: Exclude processes with Disk Utility or diskutil in the command line, or filter by paths related to disk management (e.g., /dev/disk0, /Volumes/).
Scenario: Automated Backup Script Using tar
Description: A backup script using tar compress