Apple Partners: First Known Mac Ransomware Campaign Shows No One Lives On A 'Secure Island'

Printer-friendly version Email this CRN article

Macintosh users for the first time have been targeted with live ransomware, a malicious software that encrypts data on infected devices and then forces users to pay a ransom via digital currency to retrieve their data, according to Palo Alto Networks.

Palo Alto Networks said the ransomware, dubbed “KeRanger,” infected a piece of BitTorrent software known as Transmission. When users downloaded this product, the ransomware was installed onto their machine. After Palo Alto Networks reported the ransomware issue to Apple Friday, Apple revoked the abused certificate and updated its antivirus software.

Transmission is an open-source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred,” Palo Alto representatives said in a blog post.

[Related: 6 Security Threats Facing SMBs – And How Partners Can Help]

KeRanger was able to bypass Apple’s Gatekeeper protection because it was signed with a valid Mac app development certificate. Apple, Cupertino, Calif., did not respond to a request for comment from CRN by press time.

The ransomware will bring attention to security on Apple devices, which are generally perceived as immune to cyberattacks, particularly ransomware, said Apple partners.

 “This situation helps partners like me educate clients that Apple is not immune from viruses,” said David Felton, owner of Canaan Technology, Norwalk, Conn. “Customers can take preventative measures before they get hit. We recommend clients use a UTM [unified threat management] solution at the gateway, and make sure they have a backup in place that includes versioning.”

Felton said that ransomware is an especially destructive malware because it is “entirely based off of extorting money” from victims. While customers can take preventative measures, he said, there is not much they can do when attacked by ransomware if they have not backed up their data.

According to Palo Alto Networks, once KeRanger was installed, it waited three days before attacking Mac users by encrypting certain types of data on the system. KeRanger then demanded users pay one bitcoin -- equivalent to around $400 -- as the ransom price to retrieve their data.

Morris Stemp, COO of StratX IT Solutions, a White Plains, N.Y.-based solution provider that helps customers with security risk analysis, secure firewall management and encryption issues, said the ransomware is “serious,” and that Apple customers need to be aware of the security threats on any device.

“This is not a good virus … [but] it’s preventable by users who are aware of what they’re doing,” he said. “There’s an idea in people’s head that Macs are less susceptible to viruses, but this demonstrates that’s not the case. … The most significant thing this should highlight for users is that Macs don’t live on a secure island.”

Printer-friendly version Email this CRN article