Mac Ransomware Spotted in the Wild

Researchers find what they say is the "first fully functional ransomware seen on the OS X platform."

|
Mar 7 2016, 1:30pm

Image: Shutterstock

It's been a long time coming, but researchers have found what they claim is the first effective "in-the-wild" sample of ransomware targeting Macs. They've dubbed it "KeRanger."

"We believe KeRanger is the first fully functional ransomware seen on the OS X platform," Palo Alto Networks researchers Claud Xiao and Jin Chen wrote on the company's blog on Sunday. The findings were first reported by Reuters.

Judging by the researchers' description, KeRanger is a fairly standard piece of ransomware. Three days after a victim inadvertently downloads and installs the program, it collects the Mac's model name and unique identifier and connects to a command and control server over Tor. It then encrypts files on the victim's computer, before demanding they cough up a fee of one bitcoin (around $410 at the time of writing).

The researchers write that the malware targets 300 different file types. A readme file points victims to a Tor hidden service where they can pay the hackers to decrypt their files.

The malware also seems to have some extra functions that haven't yet been fulfilled. "Our analysis suggests the attacker may be trying to develop backdoor functionality and encrypt Time Machine backup files as well," the researchers add. "If these backup files are encrypted, victims would not be able to recover their damaged files using Time Machine."

Before it was noticed, KeRanger was spread in a rather novel way. Somehow, it was bundled within two installers for Transmission, an open-source client for downloading torrents. On the morning of March 4, the Palo Alto Networks researchers write, attackers infected installers for Transmission version 2.90.

It's unclear how Transmission ended up being used as a distribution platform for this new ransomware, but it has echoes of a recent case also involving open-source software. Last month, a hacker compromised the official website of a particularly popular flavour of Linux, and replaced files of the operating system with a modified version containing a backdoor.

The researchers say KeRanger was signed with a valid Mac app development certificate. This would have fooled targeted systems into thinking the ransomware was a legitimate piece of Mac software, created by a developer known to Apple. The identity linked to this certificate was different to that used to sign previous versions of Transmission, Palo Alto Networks add.

The certificate has since be revoked, and the tampered versions of Transmission removed from the website.

Although this may be the first effective piece of Mac ransomware, the writing has been on the wall for years. Back in 2014, researchers from cybersecurity company Kaspersky found ransomware that appeared to be designed to target Mac OS X called FileCoder, but it was incomplete and ineffective. At least two researchers have also created proof-of-concepts for Mac ransomware: OS X reverse-engineer Pedro Vilaça published one to Github last year, which was followed by another from Brazilian researcher Rafael Salema Marques.

Ransomware is one of the most creative areas of cybercrime today. It's no surprise that hackers are now targeting Mac users; the more puzzling thing is why it took them so long.