Some ransomware has been known to delete data entirely, making retrieval impossible. That’s why it’s a bad idea to ever engage with a scam like this. Unfortunately, many people are embarrassed they were set up in the first place, which makes playing along with the scam even more tempting.
The scourge of ransomware has finally come to OS X! Researchers at the security firm Palo Alto Networks have announced that version 2.90 of the Transmission bittorrent client for Mac OS X has been adulterated with a new ransomware variant they have named KeRanger. Users on the Transmission forum and a message on the front page of the Transmission website confirm this:
- Learn about KeRanger, the first true Mac ransomware. Not ones to be left out of the ransomware game, Mac malware authors dropped the first ransomware for Mac OSes in 2016. Called KeRanger, the ransomware infected an app called Transmission that, when launched, copied malicious files that remained running quietly in the background for three.
- First known Mac ransomware reaches the wild. KeRanger will force you to pay digital cash to use your computer. Jon Fingas, @jonfingas. March 6, 2016 Comments. Sponsored Links.
According to Palo Alto Networks, the malicious installer was generated on March 4, and once installed, will wait 3 days after infection before encrypting the victim's files. This means that the first victims won't notice they are affected until at least March 7. Once activated, the ransomware connects to a Command & Control server over the TOR network and will then begin to encrypt certain types of files. It will then demand a ransom of 1 bitcoin, or about $400 USD, to receive a decryptor.
Very little information is available at this point regarding how the Transmission installer was compromised. It is known, however, that the ransomware is signed with a valid Mac developer's certificate, which is now revoked by Apple. This certificate has a listed owner of POLISAN BOYA SANAYI VE TICARET ANONIM SIRKETI (Z7276PX673), which is not the certificate for the legitimate Transmission developer.
Apple has already released a signature update for their XProtect antimalware software, and due to the revokation of the abused certificate, OS X will refuse to execute malicious installers signed by it.
Palo Alto Networks has also posted instructions for users who believe they might be infected, towards the bottom of their announcement article. The developers of Transmission recommend that users install version 2.91, which will attempt to detect and remove the infection.
Unfortunately, at the time of this writing there are no antimalware scanners that are currently detecting either of the affected installers:
The mac I tried to update to is basically failing to install the update after an awfully slow download and my other mac is now having issues with trustd spinning when I launch apps. The hell apple Steve Troughton-Smith / @stroughtonsmith: You gotta hand it to Apple's third-party dev community to have so many apps Apple-Silicon-native right out. Palo Alto Threat Intelligence Director Ryan Olson said the 'KeRanger' malware, which appeared on Friday, was the first functioning ransomware attacking Apple's Mac computers. 'This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,' Olson said in a telephone interview.
- VirusTotal results for malicious installer #1
As this ransomware is further analyzed, we will be sure to post about it here.
Apple customers were targeted by hackers over the weekend in the first campaign against Mac computers using ransomware, researchers with Palo Alto Networks have revealed.
Techmeme: First Known Ransomware For Mac Osx
Ransomware encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.
Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft's Windows operating system.
Palo Alto threat intelligence director Ryan Olson said the 'KeRanger' malware, which appeared on Friday, was the first functioning ransomware attacking Apple's Mac computers.
'This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,' Olson said.
An Apple representative said the company had taken steps over the weekend to prevent attacks by revoking a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs.
The malware is programmed to encrypt files on an infected personal computer three days after the original infection, according to Olson.
That means that if Apple's steps prove ineffective in neutralising malware that has already infected Macs, the earliest victims will have their files encrypted on Monday, three days after the malicious program first appeared on the Transmission website, he said.
The Transmission site offers the open source software that was infected with the ransomware.
Palo Alto has released advice for Mac users on ways to check if they were infected with the virus and steps they can take to protect against it harming their data, Olson said.
Transmission is one of the most popular Mac applications used to download software, videos, music and other data through the BitTorrent peer-to-peer information sharing network, according to Olson.
Representatives with Transmission could not be reached immediately for comment.
The project's website on Sunday carried a warning saying that version 2.90 of its Mac software had been infected with malware.
It advised users to immediately upgrade to version 2.91 of the software, which was available on its website, or delete the malicious one.
Techmeme: First Known Ransomware For Mac Download
It also provided technical information on how users could check to see if they were affected.