Mac OS hit with first functioning ransomware

Palo Alto Networks says it has detected what appears to be the first fully functional ransomware seen on the Apple Mac OS X platform.

The software encrypts files and documents via the anonymizing Tor app and then demands a bitcoin to unlock the files.

The malicious code, dubbed “KeRanger” by the security company, infected two BitTorrent client installers for the popular app Transmission, which is used to transfer data through a file-sharing network. When it was detected on March 4 the two installers were still available for downloading from Transmission’s site, according to a blog post by Claud Xiao and Jin Chen of Palo Alto Networks.

The only other ransomware for OS X, FileCoder, was discovered by Kaspersky Lab in 2014, they said. “As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform,” Xiao and Jin wrote.

Transmission is an open-source project, the two wrote, and good files on its website may have been replaced by malicious versions.

Whoever installed KeRanger used a valid Mac app development certificate to bypass Apple’s Gatekeeper protection, according to the blog post.

The ransomware waits for three days before connecting with Transmission’s servers through the anonymizing app Tor, and then begins encrypting certain files and documents. After doing that, it demands that victims pay one bitcoin (about $400) to a specific address.

“KeRanger appears still to be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data,” according to the blog post.

Apple has revoked the abused certificate and updated antivirus software, while Transmission Project has removed the infected installers from its website.

Photo: Illustration (Charlotte Observer)


Tags: , , , , ,


Share this Post

  • alrui

    OK so this is now a non story since it isnt an issue anymore. Sounds like more piling on Apple to me!

  • Rob Craig

    @alrui:disqus No, the sentence, “KeRanger appears still to be under active development …” should maybe not be as buried as it is. If the ransomware has popped up once, it can appear again, and so the story serves its purpose. Apple users are nowhere near as vulnerable as Windows users, but this is a cautionary tale nonetheless.