Apple users beware: First live ransom ware targeting Mac found ‘in the wild’


Sorry Mac fans — now you’re no better off than regular old PC users.

Security researchers have discovered what they believe to be the first ever ransomware attack targeted at Apple users that actually made it out ‘into the wild.’ And in bad news for downloading fiends, it’s being spread through torrenting software.

The problem was first detected on Friday, when a team of researchers at Palo Alto Networks found a popular OS X BitTorrent client infected with the ransomware, which they have dubbed “KeRanger.” The BitTorrent software in question is Transmission, which Mac users can install on Apple’s OS X operating system and then use to access shared files in torrent swarms (which, let’s not lie, is usually pirated content).

It’s not the first time Mac-targeting ransomware has been detected by security experts, as back in 2014 Kaspersky Labs discovered ransomware for Mac, though it wasn’t complete at the time. But the researchers today announced that they believed KeRanger was “the first fully functional ransomware seen on the OS X platform.”

Speaking to Reuters, Palo Alto Threat Intelligence Director Ryan Olson put it in simpler terms.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Olson said.

KeRanger is an unwelcome arrival for Apple fans who have long heralded the Mac as an untouchable rival to the traditional Windows PC. While PCs periodically make headlines for being targeted with viruses, malware and any number of digital infections, Mac users have largely been able to avoid serious anti-virus talk. Until now.

The stakes are high with KeRanger. Ransomware is designed to infect a computer and then hold the owner to ransom, locking up files or functionality and essentially bricking the device until the user pays to have the problem neutralised. This particular piece of ransomware brings with it a tidy $400 ransom note.
If a user installed one of the infected versions of Transmission, an executable file embedded within the software would run on the system. At first, there’d be no sign of a problem. But after three days, KeRanger would connect with servers over the anonymous Tor network and begin encrypting certain files on the Mac’s system.

“After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files,” the researchers wrote in their findings. “Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.”

The Palo Alto Networks team notified both Apple and the Transmission Project on March 4. Since then, they say Apple has revoked the security certificate exploited by KeRanger and updated its XProtect antivirus software. Apple declined to comment for this story.

The researches also note that Transmission has removed the affected versions of the BitTorrent installer from its website.

If you directly downloaded the Transmission installer from the official website on March 4-5, 2016, you may have been infected by KeRanger. Even if you downloaded it elsewhere or at another time, Palo Alto Network’s security experts advise taking extra precautions. Head to their website to find out how to protect yourself.

Transmission is also recommending users should “immediately upgrade” to and run the latest version of its software, version 2.92, to ensure KeRanger is “correctly removed” if it is present on a user’s Mac.

But how did KeRanger make it past the security guards in the first place?

According to Palo Alto Networks, “The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection.”
Because Transmission is by its own admission an “open source, volunteer-based project,” researchers also argue that it’s possible the project’s official website “was compromised and the files were replaced by re-compiled malicious versions.” But even then, the Palo Alto Networks team say they can’t confirm how the infection occurred.

The problem might be resolved now, but the incident will no doubt have ripple effects beyond those Mac users that like to dabble in the occasional torrent.

With the first piece of ransomware now found ‘in the wild,’ the Mac may no longer maintain its reputation as a bastion of security untouched by the virus concerns of its Windows rivals. Now the citadel has been breached, there may be plenty of people asking just how strong the walls really are.

Leave A Reply