Apple Partners: First Known Mac Ransomware Campaign Shows No One Lives On A 'Secure Island'

Macintosh users for the first time have been targeted with live ransomware, a malicious software that encrypts data on infected devices and then forces users to pay a ransom via digital currency to retrieve their data, according to Palo Alto Networks.

Palo Alto Networks said the ransomware, dubbed ’KeRanger,’ infected a piece of BitTorrent software known as Transmission. When users downloaded this product, the ransomware was installed onto their machine. After Palo Alto Networks reported the ransomware issue to Apple Friday, Apple revoked the abused certificate and updated its antivirus software.

’ Transmission is an open-source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred,’ Palo Alto representatives said in a blog post.

[Related: 6 Security Threats Facing SMBs – And How Partners Can Help]

KeRanger was able to bypass Apple’s Gatekeeper protection because it was signed with a valid Mac app development certificate. Apple, Cupertino, Calif., did not respond to a request for comment from CRN by press time.

The ransomware will bring attention to security on Apple devices, which are generally perceived as immune to cyberattacks, particularly ransomware, said Apple partners.

’This situation helps partners like me educate clients that Apple is not immune from viruses,’ said David Felton, owner of Canaan Technology, Norwalk, Conn. ’Customers can take preventative measures before they get hit. We recommend clients use a UTM [unified threat management] solution at the gateway, and make sure they have a backup in place that includes versioning.’

Felton said that ransomware is an especially destructive malware because it is ’entirely based off of extorting money’ from victims. While customers can take preventative measures, he said, there is not much they can do when attacked by ransomware if they have not backed up their data.

According to Palo Alto Networks, once KeRanger was installed, it waited three days before attacking Mac users by encrypting certain types of data on the system. KeRanger then demanded users pay one bitcoin -- equivalent to around $400 -- as the ransom price to retrieve their data.

Morris Stemp, COO of StratX IT Solutions, a White Plains, N.Y.-based solution provider that helps customers with security risk analysis, secure firewall management and encryption issues, said the ransomware is ’serious,’ and that Apple customers need to be aware of the security threats on any device.

’This is not a good virus … [but] it’s preventable by users who are aware of what they’re doing,’ he said. ’There’s an idea in people’s head that Macs are less susceptible to viruses, but this demonstrates that’s not the case. … The most significant thing this should highlight for users is that Macs don’t live on a secure island.’

Stemp said StratX IT Solutions has had about 10 customers who have dealt with ransomware attacks over the past six months. In addition to UTM solutions and appropriate backup measures, he said educating customers on security awareness training measures is vital to preventing future attacks.

’The idea of security awareness training is one that companies should really explore,’ said Stemp. ’The hackers are getting so sophisticated at phishing … they’re using highly realistic emails based on real company information available online.’

In 2014, Apple users had another scare when Kaspersky Lab detected "FileCoder," ransomware that targeted OS X users; however, Palo Alto Networks noted that this ransomware was incomplete at the time of its discovery, while KeRanger is fully functional.