Article Lead Image

Photo via Blondinrikard Fröberg/Flickr (CC BY 2.0)

The first ransomware for Mac computers was just discovered

Don't get held hostage.


AJ Dellinger


Posted on Mar 7, 2016   Updated on May 27, 2021, 3:06 am CDT

Apple fans used to brag about how their operating system of choice was virus free. Now that Macs are more prominent, so too are viruses. The latest sign that Apple devices have become big enough to target: OS X ransomware found in the wild.

Researchers at security firm Palo Alto Networks first detected the ransomware, dubbed KeRanger, on March 4. The malicious software was found in a corrupted download for popular Mac BitTorrent client Transmission.

Ransomware is an increasingly popular and particularly vicious form of malware that holds hostage access to vital data or the system as a whole. “Most modern ransomware works by encrypting the users files, and then only providing the key to decrypt them once the victim has paid a ransom,” Ryan Olson, the director of threat intelligence at Palo Alto Networks told the Daily Dot. 

In the case of KeRanger, the virus would wait three days after installation before it began its attack. The cost of the ransom was one Bitcoin, currently valued at about $400. The attackers used the digital currency to ensure the source of the infection couldn’t easily be traced.

According to Palo Alto Networks, there was evidence within the trojan that additional attacks were being developed that would attempt to encrypt Time Machine backup files to prevent victims from recovering their back-up data or restoring prior to the malware being installed.

KeRanger is the first fully functioning ransomware to be found on the Apple operating system. In 2014, Kaspersky Lab discovered an unfinished ransomware called FileCoder that had not yet been utilized as a means of holding information hostage.

Pedro Vilaça, a researcher who specializes in reverse engineering malware, published a proof of concept code last year that exemplified how ransomware could be implemented on OS X.

“I created the proof of concept file encryptor to understand how easy it would be to create such thing for OS X and work on countermeasures research,” Vilaça told the Daily Dot. He called the process of making the ransomware “extremely easy,” and wasn’t surprised at the discovery of KeRanger—he was only surprised that “it took so long for this threat to arrive to OS X.” 

Vilaça explained that Macs have avoided these types of attacks in the past because they represent such a small percentage of the overall computer market in comparison to Windows systems. “Ransomware is like spam, a numbers game. One percent of a big number of infection attempts can represent very good profits.”

Earlier this year, a Los Angeles hospital fell victim to a ransomware attack that lasted 10 days. The event required patients to be diverted to other hospitals and eventually cost $17,000 in payment to end the crisis. In 2014, a piece of ransomware ran wild and infected over 600,000 computers, encrypting 5 billion files along the way. McAfee Labs projected that 2016 would see a massive uptick in ransomware after finding more than 4 million samples of the malicious attacks in the second quarter of 2015.

While KeRanger represents the first functioning instance of ransomware on OS X, Olson doesn’t fear that it will become a major trend for the time being.

“While I don’t expect widespread outbreaks of KeRanger or other ransomware for OS X, it is noteworthy that attackers have chosen to expand their market in this direction,” he said, emphasizing that ransomware is growing in popularity among bad actors because it can lead to “very big money.” He also noted that success is likely to breed some copycat attackers.

There are still some unknowns surrounding KeRanger’s origins. While Palo Alto Networks was able to spot the infected installer of Transmission, it’s not clear how the compromised files landed on the program’s official website in the first place. Palo Alto Networks researchers suggested the site could have been compromised and the safe version of the open source software replaced by the malicious version, but the security firm couldn’t confirm that theory.

The rogue version of the software was signed with a valid Mac app development certificate, which Olson said was stolen. The certificate allowed it to bypass the protection of Apple’s Gatekeeper, the security feature that restricts the sources from which a user can install an application. 

Apple confirmed to the Daily Dot that the developer certificate had been revoked and the malware profile had been updated in Apple’s malware protection tool XProtect to prevent KeRanger from being installed.

Transmission did not provide comment on the event, but the company has already released a new version of its program (version 2.9.2) that includes code for removing the infection. The Transmission app automatically updates, but a manual update can be performed to ensure the program has installed the most recent version.

The fact that KeRanger was able to sneak past Apple’s security system may give Mac users pause as to the safety of their devices, especially when downloading from online sources and not through the Mac App Store.

Olson suggested that users “ensure they haven’t disabled Gatekeeper by checking their system’s Security and Privacy settings preferences to confirm that they can only run applications from the Mac App store and identified developers.”

Vilaça said the best way to remain protected from potential attacks is to only download from developers who allow downloads via HTTPS, a more secure communication protocol, and to regularly perform back ups. He suggested, “two or three hard disks that are rotated between them. This way data loss will be minimized in case one backup is hit by the ransomware.”

For more advanced users, Vilaça said they should, “demand developers to provide checksums for every binary and even better PGP signatures for everything they release. They should verify the code signatures of binaries they download,” Vilaça explained. He said doing so in the case of the Transmission installer would have indicated the change in the certificate, which didn’t match previous versions.

In the case of Transmission, the crisis appears to have been averted. But the possibility that ransomware can exist for OS X should remain present every time a Mac user clicks a “download” button online.

H/T Reuters | Photo via Blondinrikard Fröberg/Flickr (CC BY 2.0)

Share this article
*First Published: Mar 7, 2016, 7:26 pm CST