‘KeRanger’ Ransomware Hits OS X

Written by

Palo Alto Networks has unearthed a new piece of ransomware that is specifically targeting the OS X platform.

According to the security company the ransomware, which has been dubbed ‘KeRanger’, is the first to be fully functional on the OS X platform and infected the Transmission BitTorrent ailient installer, bypassing Apple’s Gatekeeper protection with a signed valid Mac app development certificate.

On 4 March attackers targeted two installers of Transmission version 2.90 and users who installed affected apps will be hit with an executable file on their system. Three days later KeRanger begins encrypting specific types of documents and data before demanding one bitcoin (about $400) from victims for the release of their files.

Apple has since withdrawn the abused certificate and updated XProtect anti-virus signature, and Transmission Project has removed the malicious installers from its website.

Thomas Reed, Director of Mac Offerings at Malwarebytes, told Infosecurity they have added detection of KeRanger to their Mac signatures and whilst they have not yet seen anyone infected, because the ransomware takes three days to detonate, he expects some users to be hit today.

“A good backup should enable users to recover, except for one issue: the malware will also encrypt certain file types on connected external drives or network volumes,” he explained. 

“That means that it could very easily encrypt backups as well. If you keep a set of backups on a hard drive that is not constantly connected to your Mac, then that will be safe, and you could restore from that onto a clean or disinfected system. But if your backup drive is constantly connected, or periodically connected (as in the case of a Time Capsule on the network), you could be in trouble.”

James Maude, senior security engineer at Avecto, said KeRanger sets an interesting precedent regarding Mac malware, with attackers seemingly targeting the torrent itself, abandoning the traditional method of focusing on downloads.

“As with most Mac malware this strain is exploiting the fact that users routinely login with privileged admin accounts and are free to download and install software from unknown sources. In this case the Gatekeeper check was bypassed using a genuine developer certificate.”

"On the Windows platform provisioning all your users with admin accounts is unthinkable, but when it comes to Macs organizations often 'think differently'.”

Maude said this has resulted in Macs becoming a weak link in enterprise security, which is something that hackers are both aware of and exploiting. 

"We are seeing an increasing number of malware strains and attacks targeting Mac users who are often left almost unprotected. Our advice is to follow the same best practice on all your devices no matter what the operating system is: patching, least privilege and whitelisting applications."

What’s hot on Infosecurity Magazine?