The first try at creating ransomware for the Macintosh was a bust, according to a spokesperson at Apple who told eWEEK that the company acted to invalidate the developer certificate tied to the malware to protect users from installing it.
The malware was initially found by researchers at Palo Alto Networks, who alerted Apple and Transmission, the software developer that made the Tor file transfer app that was infected to spread the malware.
Macintosh users who downloaded the Transmission software can get rid of the malware, now called KeRanger, by downloading the updated version 2.9.2 of the Transmission installer, which among other things, contains code that will find and remove the malware.
Meanwhile, Apple updated XProtect so that it would recognize the KeRanger malware, and prevent it from infecting more Macintosh computers. XProtect is Apple’s built-in anti-malware software for the Macintosh.
Of the approximately 6,500 Mac users that downloaded the infected Transmission software, most won’t actually have their files encrypted by the malware nor have to pay the hackers a Bitcoin ransom to get the decryption key because the necessary file, called General.RTF, won’t execute.
Unfortunately, a few Mac users will have had their files encrypted before the malware was detected and thwarted. These users will either need to pay to decrypt them, or if they’re lucky, restore their files from a backup.
The vast majority of Macintosh users dodged the bullet this time, but it’s not safe for them to assume that the hackers won’t have better luck and better malware, the next time.
Then Mac users will find themselves in a situation similar to what Windows users have been dealing with for years. The only safe approach is to assume that any software you don’t personally know to be safe probably isn’t.
The reason that Mac users haven’t had to worry about ransomware or other malware until recently isn’t that the Macintosh is immune, because it’s not. The reason that Macs haven’t had a problem is mainly that their market share has been so low that malware writers didn’t have the economic incentive to write malware. But that’s all changed.
As Apple’s market share has grown, so has the temptation to create malware and Apple’s XProtect is the first approach at fighting it. But XProtect is only a basic, signature-based security package, so it’s limited in what it can do against advanced threats. Fortunately, all of the familiar antivirus packages are also available for your Mac, including software from Symantec, McAfee, Avast, Trend Micro and many others.
But ransomware isn’t always picked up by antivirus software or by corporate firewalls. What happens then is that you could still end up with your data encrypted and find yourself stuck with no means of getting your work done except to pay the ransom.
Unfortunately, the problem is only going to get worse. “This is the first really functional ransomware on the Mac,” said Dodi Glenn, vice president of cyber-security for PC Pitstop, a security vendor.
More Mac Ransomware Sure to Surface Despite Halt to First Attack
“Future versions will be set so that it will encrypt the Time Machine backups,” he said, meaning that you won’t be able to just go back a few days and restore from backups using the standard backup software.
Fortunately, you don’t have to depend on Time Machine for your backups. “If you’re using an offsite backup, that data will be safe,” Glenn said.
“Once you’re infected, paying the ransom is often your only hope,” said Chris Doggett, senior vice president of Carbonite, which provides cloud-based backup and recovery services. But Doggett also said that if you have properly done backups, then it’s probably not necessary to pay the ransom since you can restore the files that were encrypted from your backups.
“You want to make sure your backups are not a single-event-only backup,” Doggett explained. “You want to have multiple copies that are archived for some time.” The reason for using backups that are older than a few days is because you don’t want to restore the malware itself, which may well have been backed up in the most recent backup files.
The KeRanger malware was unusual in that it lay dormant on the computer it was going to infect for three days before launching the infection. According to Doggett, this meant that the hapless user wouldn’t be able to tie the infection to the download of the Transmission software. But the three-day delay is unusual, and in the case of KeRanger, it meant that Apple had the time to prevent its execution before it was able to encrypt very many users’ data.
“The guys who are doing the ransomware know that most desktop security is likely to detect malware before long, typically measured in hours,” Doggett said. “The longer they wait, the less likely it is to be effective.” In addition, commercial cloud backup vendors, including Carbonite, will scan the backups they receive for malware and eliminate it if they find it.
Once the ransomware is recognized and the malware removed, then all that remains is to restore everything that’s encrypted. Depending on how much the ransomware was able to attack this could only take a few minutes, or it could take hours or even days to decrypt the data files for an entire business.
Either way, copying unencrypted versions of the files to replace the encrypted ones is only a matter of time. If it turns out to be a long time, many cloud backup vendors will speed things up by sending you the backups on a disk, which is much faster than a download.
But the age of innocence is truly over for Mac users if it ever existed. Malware for the Mac has been around for years and now ransomware has appeared. That it will return is a certainty, and the only way to prevent it from taking out your data and business operations is to use the same precautions as the folks with Windows do. Try to prevent the malware from hitting you and back up your computers often. Meanwhile, welcome to the real world.