This is only the second ransomware targeting Mac OS X to be uncovered, following Kaspersky Lab’s discovery of the FileCoder ransomware in 2014. Still, the researchers noted, “As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.”
“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Palo Alto Networks threat intelligence director Ryan Olson told Reuters.
Two installers of Transmission version 2.90 were infected with KeRanger on the morning of March 4. “Transmission is an open source project,” the researchers wrote. “It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.”
The malware was signed with a valid Mac app development certificate, allowing it to bypass Apple’s Gatekeeper protection. When the app is installed, an embedded executable file is run, and the malware waits for three days before connecting with command and control servers via Tor, then begins encrypting documents and files on the infected system.
Once the encryption process is complete, the ransomware demands that victims pay one bitcoin (approximately $410) to decrypt their files. “Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their backup data,” the researchers noted.
In a blog post, Thomas Reed, director of Mac offerings at Malwarebytes, suggested it’s an extremely bad idea to pay any ransom to decrypt files. “In the Windows world, paying the ransom sometimes results in getting a key that can successfully unlock the files,” he wrote. “However, it also can result in sending money to the hackers and getting nothing in return, or receiving a key that doesn’t actually work properly because the ransomware was poorly written.”
After the researchers notified the Transmission Project and Apple, the malicious installers were removed from Transmission’s website, and Apple revoked the app development certificate.
Tripwire director of IT security and risk management Tim Erlin told eSecurity Planet by email that the malware marketplace is ultimately driven by the population of targets, making Windows much more attractive to attackers than OS X. “It may have taken a little longer for ransomware to come to the Mac, but that shouldn’t be interpreted in terms of [relative] security, but in terms of target density,” he said. “There are fewer Mac users, especially fewer corporate Mac users, available to pay the ransoms. Apple is, however, growing faster in the PC market than Windows vendors. Any increase in Apple’s user base makes the systems a more attractive target for cybercriminals.”
And LogMeOnce CEO Kevin Shahbazi suggested by email that IT departments take the following steps to protect enterprise systems from attacks like these:
- In controlled environments, IT teams should test and validate patches before they deploy to user desktops.
- IT department should take adequate time to test software patches based on their organization’s policy. In some organizations, patches are tested for 30 days before being applied. If such a test was conducted, this malware issue would have been simply avoided.
- IT department should perform a controlled roll-out by dispatching patches to select groups first, as part of a patch roll-out and validation.
- IT department should ensure that software patches have an authentic digital signature.
- Antivirus software must be up-to-date on all servers and desktops.
- IT department should ensure that they have regular backup of their critical systems and data.
- Network devices need to have firewall, to fend-off such attacks destined to firewalls.
- SaaS-based password manager with proper backup.
“The first step is prevention, which needs to be planned in advance by deploying software and implementing security policies and procedures,” Shahbazi added. “Please keep in mind that security should be treated as a layered system, so your security posture should include defensive layers.”