Security researcher Patrick Wardle has analyzed a new macOS ransomware named “Turtle.” Uploaded on VirusTotal, it was detected by 24 anti-malware solutions, mainly flagged as “Other:Malware-gen” or “Trojan.Generic.”
The code appears non-sophisticated, initially developed for Windows and later ported to macOS. While not an immediate threat, its existence underscores ransomware authors’ growing interest in targeting macOS users. Wardle’s analysis reveals that Turtle reads files into memory, encrypts them using AES in CTR mode, renames the files, and overwrites the original contents with encrypted data. The ransomware is signed adhoc, and Gatekeeper should block it, though the binary lacks obfuscation. The presence of strings in Chinese, such as “加密文件” (“Encrypt files”), suggests some connection to ransomware operations.
Despite its current limited threat level, the macOS version of Turtle reflects an ongoing trend of ransomware actors expanding their focus to macOS environments. The ransomware, internally named “Turtle,” demonstrates a notable shift as cybercriminals increasingly target macOS users. While its current impact is limited, the discovery raises concerns about the growing interest in developing and deploying ransomware specifically tailored for macOS environments. The malware’s non-sophisticated nature and its detection by anti-malware solutions emphasize the need for continued vigilance and security measures on macOS devices to counter evolving cyber threats.