Mac users were in for a rough weekend as they were targeted in a campaign against Macintosh computers that utilised a type of ransomware that has since been dubbed “KeRanger” by researches with Palo Alto Networks.
Ryan Olson, threat intelligence director at Palo Alto, said the ransomware, which appeared on Friday 4 March, was the first functioning ransomware attacking Apple’s Mac computers. The Ransomware infected a version of Transmission, a popular Mac application that enables users to download a wide variety of content over peer-to-peer connections.
KeRanger, and any other type of ransomware, works by encrypting data on infected machines with the victim being forced to pay an amount in untraceable digital currencies before being given the electronic key to decrypt their data.
“The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.”
The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network.
An Apple representative has stated that the company had taken steps over the weekend to prevent attacks by revoking a digital certificate from the legitimate Apple developer that enabled the rogue software to be installed on Macs.
After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
Source: Palo Alto Networks
