Apple Macs Face First-Ever Ransomware Attacks

Customers of Apple Inc. AAPL's Macintosh computers faced its first ever ransomware attacks over the weekend, according to researchers at Palo Alto Networks Inc PANW.

Ransomware, one of the fastest-growing types of cyber threats, is a type of malware that restricts access to the infected computers in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.

A Reuters report said security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft Corporation MSFT's Windows operating system.

When It Happened

On March 4, Palo Alto detected that the Transmission BitTorrent client installer for OS X was infected with ransomware, just a few hours after installers were initially posted.

"We have named this Ransomware "KeRanger." The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform," Palo Alto said in a blog post.

Related Link: Apple Vs. The FBI: Whose Side Are You On?

Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When we identified the issue, the infected DMG files were still available for downloading from the Transmission site.

Transmission is an open source project. It's possible that Transmission's official website was compromised and the files were replaced by re-compiled malicious versions, but the researchers can't confirm how this infection occurred.

Bypassing Apple

The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple's Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network.

The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files.

Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.

Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems.

Posted In: NewsTechApple MacsMacsransomware
Benzinga simplifies the market for smarter investing

Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.

Join Now: Free!

Loading...