NEWS ANALYSIS: The first known attempt to spread ransomware on Macs was quickly spotted and disabled by security researchers and by Apple, but it won’t be the last.
The first try at creating ransomware for the Macintosh was a bust, according to a spokesperson at Apple who told eWEEK
that the company acted to invalidate the developer certificate tied to the malware to protect users from installing it.
The malware was initially found by researchers at Palo Alto Networks, who alerted Apple and Transmission, the software developer that made the Tor file transfer app that was infected to spread the malware.
Macintosh users who downloaded the Transmission software can get rid of the malware, now called KeRanger, by downloading the updated version 2.9.2 of the Transmission installer, which among other things, contains code that will find and remove the malware.
Meanwhile, Apple updated XProtect so that it would recognize the KeRanger malware, and prevent it from infecting more Macintosh computers. XProtect is Apple's built-in anti-malware software for the Macintosh.
Of the approximately 6,500 Mac users that downloaded the infected Transmission software, most won't actually have their files encrypted by the malware nor have to pay the hackers a Bitcoin ransom to get the decryption key because the necessary file, called General.RTF, won't execute.
Unfortunately, a few Mac users will have had their files encrypted before the malware was detected and thwarted. These users will either need to pay to decrypt them, or if they're lucky, restore their files from a backup.
The vast majority of Macintosh users dodged the bullet this time, but it's not safe for them to assume that the hackers won't have better luck and better malware, the next time.
Then Mac users will find themselves in a situation similar to what Windows users have been dealing with for years. The only safe approach is to assume that any software you don't personally know to be safe probably isn't.
The reason that Mac users haven't had to worry about ransomware or other malware until recently isn't that the Macintosh is immune, because it's not. The reason that Macs haven't had a problem is mainly that their market share has been so low that malware writers didn't have the economic incentive to write malware. But that's all changed.
As Apple's market share has grown, so has the temptation to create malware and Apple's XProtect is the first approach at fighting it. But XProtect is only a basic, signature-based security package, so it's limited in what it can do against advanced threats. Fortunately, all of the familiar antivirus packages are also available for your Mac, including software from Symantec, McAfee, Avast, Trend Micro and many others.
But ransomware isn't always picked up by antivirus software or by corporate firewalls. What happens then is that you could still end up with your data encrypted and find yourself stuck with no means of getting your work done except to pay the ransom.
Unfortunately, the problem is only going to get worse. "This is the first really functional ransomware on the Mac," said Dodi Glenn, vice president of cyber-security for PC Pitstop
, a security vendor.