Researchers from security firm Palo Alto Networks have discovered the first-known case of functional ransomware targeting Apple users on the Mac OS X platform via a compromised version of popular BitTorrent downloader, Transmission.
One of the most prominent and intrusive cybersecurity threats for individuals and businesses alike, is ransomware. It spreads rapidly and easily through simple methods like malicious email campaigns targeting millions around the world. Until recently, ransomware – through infamous strains like CryptoWall — used to target users of the Windows operating system, the most widely used OS in the world.
However, as researchers from Palo Alto have discovered, Apple customers and users of Macs are also among the targeted, following the discovery of a new ransomware spread through a compromised installer of popular and free BitTorrent software, Transmission.
The KeRanger Ransomware
Upon discovery of what is now the first-known, fully functional Mac OS X ransomware that is operating in the wild, security researchers at Palo Alto named it “KeRanger”, following the discovery of the malware strain on March 4.
The malware authors or malicious attackers plugging the ransomware compromised multiple installers of Transmission, a popular P2P BitTorrent software. The affected version was 2.90. It makes for a substantial hack of the website to begin with, before proceeding to infect the installer file that is routinely downloaded by millions of Mac users around the world.
An excerpt from the Palo Alto’s blog read:
It’s possible that Transmission’s official website was compromised and the files (installers) were replaced by re-complied malicious versions, but we can’t confirm how this infection occurred.
Amazingly, the KeRanger application was also discovered to be signed with a valid Mac app developer’s certificate, granting the malware the means to bypass Apple’s security framework – Gatekeeper. Quite simply, if an unsuspecting user were to install an infected installer that comes embedded with the certificate, Apple’s Gatekeeper protection would simply allow it to do so.
Researchers determined that the malware waited for three days before reaching out to connect to command and control servers over the Tor anonymizer network. Following its dormant status for three days, the malware then begins to encrypt data and document files on the targeted system.
Eventually, KeRanger demands a payment of 1 bitcoin (approx. $400) as the ransom in exchange for a decryption key for victims to regain access to their encrypted files.
Alarmingly, KeRanger is also found to remain under active development to the extent that its authors have even coded it to attempt encrypting Apple’s Time Machine, the software that helps users with backups as a method of recovery.
On notifying Apple, the hardware giant quickly revoked the tampered certificate and issued updates to its XProtect antivirus program. Transmission yanked the tampered installer to release a newly updated version of the program that comes without the ransomware.
Featured image from Pexels.