First Mac Ransomware Poses Little Risk for Users

Quick detection by Palo Alto Networks, Apple and the affected open-source project means most users likely disabled the software before it started to run.

Mac ransomware

A ransomware group targeted Mac users with the first fully functional malware program capable of encrypting data and demanding a ransom of 1 Bitcoin, about $412, for providing the key to unlock the data, Palo Alto Networks said on March 7.

Users of the open-source Transmission Bittorrent client, who downloaded the latest version of that software on March 4, may have infected their system with the malware, dubbed KeRanger by Palo Alto. Because the security firm identified the threat within six hours of its posting and warned Apple and the developers that the open-source software had been infected, the ransomware's impact will likely be blunted, Ryan Olson, director of threat intelligence for Unit 42, the research group at Palo Alto Networks, told eWEEK.

"We will see now whether people report whether they had files encrypted, but we think the impact will be small because we were able to work quickly to find this and work with our peers in the industry to remove the threat before it had an impact," Olson said.

KeRanger is designed to encrypt more than 300 different file types on Macs and to replace the files with encrypted versions. After installation, however, KeRanger waits three days before starting its encryption cycle, a technique that can foil some defenders' attempts to detect potentially malicious files. In this case, Palo Alto hoped the delay allowed users to uninstall the malicious program before it started its encryption routine, Olson said.

While ransomware is a very successful attack on Windows systems, making criminals millions of dollars in payments, the Mac had not seen a significant ransomware attack. However, the advent of KeRanger shows that criminals are targeting the operating system.

The ransomware attack took a lot of effort, Olsen said. Not only did the criminals write the malware, but they also had to steal a legitimate software certificate to bypass Apple's Gatekeeper software for blocking non-legitimate apps.

In addition, the criminals behind the malware had to somehow gain access to the site from which the Transmission Bittorrent client could be downloaded. On March 4, the criminals replaced the Transmission client with a copy infected with the KeRanger malware. Any users who downloaded version 2.90 of the program are at risk of being infected by the malware, Palo Alto Networks warned on March 6.

The Transmission project posted a warning on its Website for its users.

"Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file," the company stated. "This new version will make sure that the 'OSX.KeRanger.A' ransomware … is correctly removed from your computer."

KeRanger is not the first attempt to use ransomware against Mac OS X users. In June 2014, antivirus firm Kaspersky Lab found an unfinished program on malware-classification site VirusTotal. The ransomware, dubbed FileCoder, appeared to have been an early test version of a program that had not been completed.

"At this point, it became totally clear that (FileCoder) is a relatively harmless program, which could be turned into a fully functioning Trojan encrypter demanding money from its victims, but for some reason this had not been done," Kaspersky Lab stated at the time.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...