Apple-certified ransomware affected fewer than 7,000 computers

Downloads of KeRanger-infected Transmission BitTorrent client less widespread than feared

KeRanger, the first fully-functional Mac OS ransomware found in the wild, only affected about 6,500 computers, it has been claimed.

Speaking to Forbes, John Clay of the Transmission Project, which hosted the ransomware-infected files, revealed the site's main server had been compromised, allowing the attackers to distribute their malware in the guise of a legitimate Transmission BitTorrent client download.

However, Clay claimed that only around 6,500 Macs would have been affected. 

"Of those, our presumption is that many were unable to run the infected file due to Apple quickly revoking the certificate used to sign the binary [the file], as well as updating the XProtect [Apple's anti-malware technology] definitions," said Clay, although he added that the company is still waiting for confirmation from Apple to back up this assumption.

Advertisement
Advertisement - Article continues below

07/03/2016: The days of Mac OS as a virus-free system are truly over, following the discovery of the first fully operational ransomware for Apple's operating system.

KeRanger, as the malicious program has been called, encrypts users' files and demands a ransom to unlock them, according to researchers from security firm Palo Alto Networks, who discovered the malware on Friday.

According to a blog post by researchers Claud Xiao and Jin Chen, version 2.90 of the Transmission BitTorrent client installer for OS X was infected with the ransomware just hours after being published.

When opened, the compromised downloader (.dmg file) sits on the user's system for three days before contacting its command and control (C2) servers over the Tor network. It then encrypts the user's files and demands the equivalent of $200 (141) in Bitcoin to release those files.

The malware also attempted to encrypt Time Machine files, should a user have one connected, however this piece of the KeRanger code was apparently incomplete, so this part of the attack would not work.

Perhaps most worryingly, the ransomware application was signed with a valid Mac development certificate, meaning it could bypass OS X's Gatekeeper protection system.

The certificate has since been revoked by Apple after Palo Alto Networks notified it of the issue, so anyone attempting to open the compromised .dmg file now will be unable to do so.

However it is unclear how the valid certificate was obtained in the first place and Apple has declined to comment on the matter.

Transmission has also released an updated version of its client, which is free of KeRanger.

Additionally, it is unclear how the downloader became infected in the first place, although Xiao and Chen suggested Transmission's official website may have been compromised, allowing the attackers to replace the legitimate .dmgs with the malicious ones.

Advertisement
Advertisement - Article continues below

Greg Day, Palo Alto's EMEA CSO, told IT Pro the emergence of Mac ransomware was, in many ways, inevitable.

"The simple reality is that at home and in the workplace, more and more people are using Macs. With volume adoption, typically we see cybercrime follow the mainstream," Day said.

Day added that ramsomware has, over the past few years, become the most prevalent form of attack, as it offers greater ROI for cybercriminals and that KeRanger was a confluence of these two trends.

Independent security analyst Graham Cluley largely agreed, telling IT Pro that Mac ransomware had not, until now, been a priority for attackers.

"They've been doing 'very nicely, thank you' successfully extorting money out of Windows users, and it's easier to write a new ransomware variant for Windows (based upon the thousands of existing samples) than start from scratch for OS X," said Cluley.

"However, as Windows users become more savvy about ransomware, some criminals might regard Mac users as a softer target," he added.

As usual in these situations, those who have been compromised are recommended not to pay the ransom and to restore their OS from a secure backup, assuming they have one.

In order to protect themselves, users should also always ensure that their anti-virus is up to date, that their OS is patched, and that their computer is backed up.

(This article was first published on 07/03/16 and has since been updated to reflect new developments, most recently on 08/03/16)

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

8 Mar 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019