New Ransomware Targets Apple's Mac Computers for the First Time
It seems Apple products are no longer immune to the scourge of ransomware. The first-ever fully functional ransomware that targets Apple’s Mac OS X operating system, dubbed "KeRanger," has been identified by computer security company Palo Alto Networks. The malicious code is signed with a valid Mac app development certificate, allowing it to bypass Apple’s Gatekeeper protection.
As its name suggests, ransomware is malicious software that holds computing assets ransom. The software blocks users from accessing computer systems until a ransom is paid, typically in digital currency, such as bitcoins, which is hard to trace.
KeRanger was first observed in two installers of the Transmission BitTorrent client, just hours after the installers were first posted. The ransomware still appears to be under active development and may change its behavior in the future, according to the researchers.
Ransomware Still Under Development
The researchers, who discovered KeRanger Friday, said the Transmission installers were first infected earlier that morning. “Transmission is an open source project,” the researchers wrote in a post announcing their discovery. “It’s possible that Transmission’s official Web site was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.”
Once a user installs the infected apps, an embedded executable file is launched on the individual's system, according to Palo Alto Networks. The ransomware then waits three days before connecting with command and control servers over the Tor network. It then begins encrypting certain types of document and data files on the user’s system. After completing the encryption process, KeRanger demands the victim pay one bitcoin (about $400) to a specific address to retrieve the files.
The researchers said they suspect KeRanger is still under development due to the existence of several functions within the malicious app’s code that seem to have been finished, but are not being used in the current version of the malware.
“Our analysis suggests the attacker may be trying to develop backdoor functionality and encrypt Time Machine backup files as well,” the researchers said. “If these backup files are encrypted, victims would not be able to recover their damaged files using Time Machine.”
First Active Mac Ransomware
The threat has largely been mitigated . . . for now. The researchers reported the issue to the Transmission Project and to Apple after identifying it. Apple said it has since revoked the abused certificate, and Gatekeeper will now block the malicious installers. Apple has also updated its XProtect signatures to cover the family, and the signature has been automatically updated to all Mac computers. The Transmission Project removed the malicious installers from its Web site as of March 5.
Nevertheless, that still leaves plenty of users who may have inadvertently downloaded the infected files over the weekend. Palo Alto Networks is providing a list of security checks at its Web site for users to employ to ensure their systems are safe.
Although the threat seems to have been uncovered and countered relatively quickly, the appearance of ransomware targeting the Mac platform could be considered a frightening new development. KeRanger is not the first piece of OS X ransomware to be discovered -- that was FileCoder, discovered by Kaspersky Lab in 2014. However, FileCoder was incomplete at the time of its discovery, making KeRanger the first fully functioning piece of ransomware to attack Macs.
Image Credit: Screenshots via Palo Alto Networks.