First fully functioning Mac OS X ransomware found in the wild
New attack uses ransomware to drop trojans and keyloggers
Researchers have discovered the first known case of fully functioning ransomware targeting Apple's OS X operating system in the wild. Dubbed KeRanger, the malware was spotted lurking on installers for the open-source BitTorrent client application Transmission.
Palo Alto Networks, the security firm responsible for detecting the unprecedented ransomware, reported in a blog post yesterday that KeRanger “was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple's Gatekeeper protection.” Ryan Olson, director of threat intelligence at the Unit 42 research division of Palo Alto Networks, told SCMagazine.com in an interview that the attackers stole the certificate from a company based in Turkey.
Once the infected DMG file is downloaded from Transmission, the malware lies dormant for 72 hours before activating, encrypting the victim's files and demanding one bitcoin worth of ransom. Olson theorized that the ransomware developers didn't want savvy users to immediately link the malware with the downloading of Transmission's peer-to-peer file sharing capabilities. With a three-day delay, “they wouldn't have been able to make the connection back to Transmission so easily,” he explained.
Corey Nachreiner, CTO at WatchGuard, in an email to SCMagazine.com, called KeRanger a “very relevant development in both ransomware evolution and targeted Mac threats… It does strongly encrypt your files, and proves that cybercriminals are expanding their ransomware campaigns to other platforms including Macs.”
Apple revoked the fraudulently acquired certificate within 12 hours of KeRanger's discovery, and the Transmission Project was able to remove the malware over the next 32 hours. Transmission also posted the following message on its website, urging customers to upgrade their software: “Everyone running [version] 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file.”
Approximately 6,500 users downloaded the ransomware, said Olson, but there has yet to be a documented case of KeRanger locking anyone out of their files. This suggests that the ransomware's swift detection and mitigation saved infected users before Keranger could activate itself on anyone's machine.
Considering the effort they put into this scheme, the attackers “probably had a really bummer weekend,” said Olson.
Scott Crawford, research director at 451 Research's Information Security Practice, told SCMagazine.com that Apple did “a pretty good a job in this particular case…minimizing the impact.”
But with the precedent now set, could we begin to witness a sudden surge in ransomware specifically targeting Macs? “I don't think that's going to be the case. Apple still does a pretty good job with barriers to prevent people from running malicious applications on their platform,” said Olson.
Still, noted Crawford, “as penetration of market continues to grow” for Apple, “naturally, they're going to become more of a target.”
“This incident should be a wake-up call to all Mac users that they need additional layers of defense to protect their computers,” said Nachreiner. “Macs are now a big enough market for criminals for care about, so we expect to see more Mac malware in the future.”
Palo Alto Networks noted in its blog that in 2014 Kaspersky Lab discovered FileCoder, another ransomware targeting the OS X platform. However, this program was incomplete and not fully functioning at time of discovery.