Apple Users A Target-Rich Environment This Weekend In First Known Mac Ransomware Attack

Over the past few years, ransomware has become an ever growing threat to enterprise and personal users alike. If you’re unfamiliar with ransomware, it’s a piece of malware that infects a system, usually encrypts a user’s personal data – like photos, office documents, PDFs and the like – and then forces the user to pay a ransom for the decryption key.

To date all of the known, fully-functional ransomware attacks have targeted systems running Microsoft Windows, but a brand new variant has hit the web targeting systems running Apple’s Mac OS X.

macbook open front
An Apple MacBook Running OS X

Palo Alto Networks discovered the ransomware a few days ago and posted a bulletin on its website. Claud Xiao and Jin Chen of PAN reported, “On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware ‘KeRanger.’ The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.”

The KeRanger malware was signed with a valid Mac app development certificate that has since been revoked. The valid certificate is what allowed KeRanger to bypass the Gatekeeper protection built into OS X.

Once installed on a system, KeRanger apparently sits idle for a time and on the third-day it connects to command and control servers over the Tor network and then begins encrypting user data. After the files have been encrypted, KeRanger then demands one Bitcoin – worth roughly $400 at the moment – for the decryption key and tools necessary to retrieve the user’s files.

Apple's 12-inch MacBook with OS X
Apple's 12-inch MacBook with OS X

Palo Alto Networks is also reporting that KeRanger appears to be under active development, and may be updated at some point to also encrypt Time Machine backups, which would prevent users from recovering their data from earlier backups.

Apple has revoked the abused certificate that KeRanger used to bypass Gatekeeper and updated the XProtect antivirus signature. Transmission Project has also removed the affected installers from its website, but it may be a couple of days before the full extent of KeRanger’s affects are known due to the its three-day dormant period.

There is additional information about KeRanger and steps you can take to protect your data available in the Palo Alto Networks bulletin, posted here.