Apple Users A Target-Rich Environment This Weekend In First Known Mac Ransomware Attack

by Marco Chiappetta — Sunday, March 06, 2016, 06:38 PM EDT

Over the past few years, ransomware has become an ever growing threat to enterprise and personal users alike. If you’re unfamiliar with ransomware, it’s a piece of malware that infects a system, usually encrypts a user’s personal data – like photos, office documents, PDFs and the like – and then forces the user to pay a ransom for the decryption key.

To date all of the known, fully-functional ransomware attacks have targeted systems running Microsoft Windows, but a brand new variant has hit the web targeting systems running Apple’s Mac OS X.

An Apple MacBook Running OS X

Palo Alto Networks discovered the ransomware a few days ago and posted a bulletin on its website. Claud Xiao and Jin Chen of PAN reported, “On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware ‘KeRanger.’ The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.”

The KeRanger malware was signed with a valid Mac app development certificate that has since been revoked. The valid certificate is what allowed KeRanger to bypass the Gatekeeper protection built into OS X.

Once installed on a system, KeRanger apparently sits idle for a time and on the third-day it connects to command and control servers over the Tor network and then begins encrypting user data. After the files have been encrypted, KeRanger then demands one Bitcoin – worth roughly $400 at the moment – for the decryption key and tools necessary to retrieve the user’s files.

Apple's 12-inch MacBook with OS X

Palo Alto Networks is also reporting that KeRanger appears to be under active development, and may be updated at some point to also encrypt Time Machine backups, which would prevent users from recovering their data from earlier backups.

Apple has revoked the abused certificate that KeRanger used to bypass Gatekeeper and updated the XProtect antivirus signature. Transmission Project has also removed the affected installers from its website, but it may be a couple of days before the full extent of KeRanger’s affects are known due to the its three-day dormant period.

There is additional information about KeRanger and steps you can take to protect your data available in the Palo Alto Networks bulletin, posted here.

Tags: Apple, OS X, Malware, Ransomware, palo alto networks

Marco Chiappetta

Marco's interest in computing and technology dates all the way back to his early childhood. Even before being exposed to the Commodore P.E.T. and later the Commodore 64 in the early ‘80s, he was interested in electricity and electronics, and he still has the modded AFX cars and shop-worn soldering irons to prove it. Once he got his hands on his own Commodore 64, however, computing became Marco's passion. Throughout his academic and professional lives, Marco has worked with virtually every major platform from the TRS-80 and Amiga, to today's high end, multi-core servers. Over the years, he has worked in many fields related to technology and computing, including system design, assembly and sales, professional quality assurance testing, and technical writing. In addition to being the Managing Editor here at HotHardware for close to 15 years, Marco is also a freelance writer whose work has been published in a number of PC and technology related print publications and he is a regular fixture on HotHardware’s own Two and a Half Geeks webcast. - Contact: marco(at)hothardware(dot)com