View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 7, 2016updated 05 Sep 2016 7:41am

Apple Mac infected with ransomware as cyber-criminals target high-value data

News: KeRanger has been loaded into installers for Transmission BitTorrent.

By Alexander Sword

The first fully functional ransomware targeting Macintosh computers has been detected, after attackers infected installers with malware.

Palo Alto Networks found that Transmission BitTorrent ailient installers for the operating system were infected with a ransomware they called "KeRanger".

If the infected app is installed, an embedded executable file is installed on their system. Three days later, KeRanger connects with command control servers over the Tor anonymiser network and begins encrypting certain types of document and data files on the system.

Once the files are encrypted, KeRanger demands payment of one bitcoin, equivalent to £286 at the time of writing.

Apple and the Transmission Project were made aware of the issue on 4 March; Apple has revoked the abused certificate and updated XProtect antivirus signature, while Transmission Project has removed the malicious installers.

The two installers were infected with KeRanger on the morning of 4 March, Palo Alto Networks said in a blog, apparently only a few hours after being posted on the site.

As the application was signed with a valid Mac app development certificate, it could bypass Apple’s Gatekeeper protection.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Since the installer is open source, Palo Alto Networks said that attackers might have carried out the attack by compromising Transmission’s official website and replacing the download files with "re-compiled malicious versions", although the company was unable to confirm this.

There had been a previous ransomware for OS X, discovered by Kaspersky Lab in 2014, called FileCoder, but this was incomplete at the time of its discovery.

Once ransomware has taken over a PC, there is often nothing that can be done to retrieve the files, making it a particularly damaging form of malware to holders of high-volume information.

Bob Tarzey, Analyst and Director at Quocirca, said that due to the low volume of OS X users compared to Windows, the motivation for the attack was presumably "because the OS X users are likely to have high value data and perhaps pay the ransom."

However, he added that "OS X users are likely to be savvy that ransomware attacks are easy to protect against with regular backup (which many have been doing for years, for other reasons), so attackers may find pickings are not are rich as they hope."

Users that had downloaded the installer might have been infected; Palo Alto Networks recommended searching for the files manually using Terminal or Finder.

Palo Alto Networks added in the blog that "KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.