The very first ransomware designed to target users of Mac computer has been busted over the weekend with close coordination between Apple Inc. and Palo Alto Networks.
Security researchers found that the file-encrypting malware was seeded inside Transmission, a legitimate Bitcoin application used by many Mac users. However, it was unclear how the attackers succeeded in uploading a tampered Transmission version to the application’s website.
This is the first time that Mac users were targeted by a ransomware attack. It usually focuses on Windows users. Attackers have grown interested in Mac as well as in Windows, though Apple’s the desktop computing market share is relatively smaller than Windows.
As we know it, ransomware targets its victims by encrypting their computer and files contained in it before asking the victims to pay a ransom in Bitcoin in order to recover their files and computer access through a decryption key.
The ransomware, called KeRanger, appears to affect Mac users who are using the 2.90 version of the Bitcoin application. It would tremendously help if Mac users upgrade their Transmission software to the 2.92 version, Transmission said in an advisory published on its website. KeRanger is configured to connect to a remote command-and-control server three days after it is seeded in a Mac computer. It works to encrypt more than 300 file types, asking 1 Bitcoin for ransom, which is equivalent to $404.
Attackers have been in the habit of compromising legitimate applications such as Transmission, so the attack, though first in its attempt at targeting the Mac ecosystem, does not come as a surprise.
The tampered version of Transmission appeared to be a legit app because it was signed with an Apple developer’s certificate, which helps to bypass Apple’s Gatekeeper. It means the victims are not able to receive a warning that the application is harmful because a Mac user’s security settings automatically allow applications to be downloaded from identified Apple developers.
Apple was quick to revoke the certificate for Transmission following advisory from Palo Alto Networks and went on to update its antivirus engine called XProtect.
Ransomware threats are not immediately detected by ordinary antivirus software products as this scheme constantly updates in order to circumvent detection methods provided by security vendors. The best way to counter ransomware attacks is to back your files up in an isolated system so that it is inaccessible to attacks once your computer is infected. An even more serious danger arises when a ransomware is able to target your backup drive, such as the case with Apple’s Time Machine.