First Mac Ransomware Poses Little Risk for Users
Quick detection by Palo Alto Networks, Apple and the affected open-source project means most users likely disabled the software before it started to run.A ransomware group targeted Mac users with the first fully functional malware program capable of encrypting data and demanding a ransom of 1 Bitcoin, about $412, for providing the key to unlock the data, Palo Alto Networks said on March 7. Users of the open-source Transmission Bittorrent client, who downloaded the latest version of that software on March 4, may have infected their system with the malware, dubbed KeRanger by Palo Alto. Because the security firm identified the threat within six hours of its posting and warned Apple and the developers that the open-source software had been infected, the ransomware's impact will likely be blunted, Ryan Olson, director of threat intelligence for Unit 42, the research group at Palo Alto Networks, told eWEEK. "We will see now whether people report whether they had files encrypted, but we think the impact will be small because we were able to work quickly to find this and work with our peers in the industry to remove the threat before it had an impact," Olson said. KeRanger is designed to encrypt more than 300 different file types on Macs and to replace the files with encrypted versions. After installation, however, KeRanger waits three days before starting its encryption cycle, a technique that can foil some defenders' attempts to detect potentially malicious files. In this case, Palo Alto hoped the delay allowed users to uninstall the malicious program before it started its encryption routine, Olson said.
While ransomware is a very successful attack on Windows systems, making criminals millions of dollars in payments, the Mac had not seen a significant ransomware attack. However, the advent of KeRanger shows that criminals are targeting the operating system.