Alert: Ransomware Targets MacsResearchers: 'KeRanger' Hits Apple OS X Devices, Hidden in Legitimate App
See Also: 2016 Social Engineering Report
The ransomware, which they've dubbed "KeRanger," first appeared March 4, disguised as an RTF document inside installers for a popular, open source BitTorrent client called Transmission, Palo Alto researchers Claud Xiao and Jin Chen write in a March 6 blog post. The malware requires users to allow it to be installed. But because the malicious "Transmission.app" was signed with a legitimate Apple developer certificate, the software wouldn't have tripped the Apple operating system's Gatekeeper defense, which by default prevents unsigned applications from being installed, the Palo Alto researchers say.
"We reported the issue to the Transmission Project and to Apple immediately after we identified it," the researchers add. "Apple has since revoked the abused certificate, and Gatekeeper will now block the malicious installers."
Apple has also added the ransomware signatures to XProtect, a basic OS X anti-malware feature, while the Transmission Project removed the Trojanized installers from its website March 5, the researchers add. They've also published technical instructions to help ascertain if a Mac is infected with the ransomware.
But anyone who downloaded and installed Transmission version 2.90 - either from the software's dedicated website or from third-party sites - is at risk and has just 72 hours to ensure that they have removed the software from their system, they say. That's because once it gets installed, the ransomware is set to begin encrypting all files - including Time Machine backups - after three days. It then demands 1 bitcoin - currently worth about $400 - in exchange for an encryption key to decrypt the files.
The Transmission Project, meanwhile, has pushed a new, ransomware-free version and warned all 2.90 users to upgrade. "Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the 'OSX.KeRanger.A' ransomware ... is correctly removed from your computer," according to an alert posted to its website. "Users of 2.91 should also immediately upgrade to and run 2.92. Even though 2.91 was never infected, it did not automatically remove the malware-infected file."
Refined Malware Attacks
Criminals have been continuing to refine their ransomware attacks, which enable them to automatically infect and extort large numbers of end users (see Refined Ransomware Streamlines Extortion). More recently, the number of targeted attacks - against organizations that criminals perceive to be more likely to pay larger ransoms - has also continued to increase (see Ransomware Hits Hospitals).
Brussels-based information security expert Xavier Mertens, who's a handler for SANS Institute's Internet Storm Center, says that the emergence of Mac ransomware isn't surprising. "[The] more a tool, a platform or an environment is popular, [the] more it will be targeted," he says in a blog post. "Those who still think that they are safe with their OS X environment are wrong."
As of early March 7, only 2 out of 54 anti-virus scanners were detecting the malware, according to the free malware-scanning service VirusTotal.
But KeRanger appears to be the first fully functional, native OS X ransomware, and Mertens emphasizes that it's designed to defeat built-in OS X security defenses because "the binary is signed with a legit developer certificate." He also warns that "it also attempts to encrypt Time Machine backups, which are very popular and used by most OS X users."
Recommendation: Offline Backups
Security experts have long recommended keeping offline backups as a defense against ransomware attacks.
To date, it's not clear how the KeRanger ransomware got added to a legitimate open source project, although the Palo Alto researchers suspect that attackers may have hacked into the project's website. "Transmission is an open source project," they say. "It's possible that Transmission's official website was compromised and the files were replaced by re-compiled malicious versions, but we can't confirm how this infection occurred."