The first fully functional ransomware targeting Macintosh computers has been detected, after attackers infected installers with malware.
Palo Alto Networks found that Transmission BitTorrent ailient installers for the operating system were infected with a ransomware they called "KeRanger".
If the infected app is installed, an embedded executable file is installed on their system. Three days later, KeRanger connects with command control servers over the Tor anonymiser network and begins encrypting certain types of document and data files on the system.
Once the files are encrypted, KeRanger demands payment of one bitcoin, equivalent to £286 at the time of writing.
Apple and the Transmission Project were made aware of the issue on 4 March; Apple has revoked the abused certificate and updated XProtect antivirus signature, while Transmission Project has removed the malicious installers.
The two installers were infected with KeRanger on the morning of 4 March, Palo Alto Networks said in a blog, apparently only a few hours after being posted on the site.
As the application was signed with a valid Mac app development certificate, it could bypass Apple’s Gatekeeper protection.
Since the installer is open source, Palo Alto Networks said that attackers might have carried out the attack by compromising Transmission’s official website and replacing the download files with "re-compiled malicious versions", although the company was unable to confirm this.
There had been a previous ransomware for OS X, discovered by Kaspersky Lab in 2014, called FileCoder, but this was incomplete at the time of its discovery.
Once ransomware has taken over a PC, there is often nothing that can be done to retrieve the files, making it a particularly damaging form of malware to holders of high-volume information.
Bob Tarzey, Analyst and Director at Quocirca, said that due to the low volume of OS X users compared to Windows, the motivation for the attack was presumably "because the OS X users are likely to have high value data and perhaps pay the ransom."
However, he added that "OS X users are likely to be savvy that ransomware attacks are easy to protect against with regular backup (which many have been doing for years, for other reasons), so attackers may find pickings are not are rich as they hope."
Users that had downloaded the installer might have been infected; Palo Alto Networks recommended searching for the files manually using Terminal or Finder.
Palo Alto Networks added in the blog that "KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data."