Skip to main content

Mac ransomware targeting OSX users spotted

A malware targeting OSX was recently discovered by security researchers Palo Alto Networks, claiming this is the first ever, fully functional ransomware attacking Mac users.

The ransomware, which Palo Alto Networks named KeRanger, was found within the Transmission BitTorrent ailient installer for OS X on March 4.

The security researchers said it was able to bypass Apple's Gatekeeper protection as it came signed with a valid Mac app development certificate.

After the user downloads and runs the installer, the ransomware executable is run on the system. It then sits quietly for three days before connecting to the command and control (C2) servers over the Tor anonymizer network and encrypting files.

After file encryption is complete, it demands one bitcoin (around £280) from the victim. The attack has, since then, been stopped: "Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website,” Palo Alto Networks wrote in their blog post.

Apple’s Gatekeeper will now block the malicious installers, and with the Xprotect signatures updated, it has been automatically updated to all Mac computers now.

Ransomware is a type of malware whose popularity is rising fast. Once it has infected a system, it will encrypt all the data on the computer, as well as on any and all cloud storages a victim might have. It will then demand money from the victim, usually in Bitcoin, and usually around $400 (£280) for the files to be released.

There’s usually a countdown timer, counting down a few days before, if the payment is not made, the files are lost forever.

David Kennerley, Senior Manager for Threat Research at Webroot commented: "Ransomware has been on the rise in recent months, with Lincolnshire County Council being hit by a £1m demand in late January. Given the potential gains for attackers, it’s no surprise that they are now diversifying and targeting OS X – a popular system with a large target base. Add to this the fact that many people believe they are safe from such malware when running OS X, this ransomware has the potential to impact a huge number of people.

"The reason this criminal business model is so successful is that the cost of decrypting the files by paying the ransom is now seen as more cost effective than restoring from offline backups'– if they even exist. This is especially the case for organisations, where mission critical data has been encrypted, not just on the one machine but the entire network. Organisations need to be aware of this type of threat and take all necessary steps to protect their infrastructure and data by using threat intelligence and backup solutions.

"As with any attack, the threat actor will firstly attempt to target the weakest link in any security set-up. Nine times of out ten that’s the end user, so organisations need to invest in security education programs and initiatives, and reward those with good security practices."