Apple Macs Are Being Held for Ransom by KeRanger Malware

By  | 

Over the weekend Apple Mac users were attacked by a piece of ransomware in what is being reported as the first time ever that Macs have been subject to this type of malware. Researchers with Palo Alto Networks were the ones to reveal the malware, known as KeRanger, and immediately alerted Apple to the security threat.

Ransomware, a particularly vicious type of malware, encrypts data on the infected machines so that it becomes unusable by the user. The malware then asks the user to pay a ransom in a difficult to trace online currency to receive a digital key to restore their data.

Typically this type of malware is targeted against Windows computers as there are a larger number of devices running Windows operating systems, and the Apple Mac operating system – Mac OS X – was considered to be more secure.

Ryan Olson of Palo Alto Threat Intelligence said that the KeRanger malware that appeared over the weekend was the first functioning ransomware to attack Mac computers.

The way computers were infected by this piece of ransomware was from the popular BitTorrent client Transmission. On Friday Transmission released it’s latest update to the client Transmission 2.90. Mac users who downloaded Transmission version 2.90 also received the KeRanger Malware. The malware then began to encrypt users files, and demanded a ransom of 1 bitcoin (£286) to restore the files.

The Palo Alto team who discovered the malware speculate that the Transmission program, which is open source,  was re-compiled into new malicious versions that contained the ransomware. It is possible the Transmission website was hacked into and the new update files switched for the malware containing files.

Palo Alto immediately alerted both Apple and Transmission to the security threat. Apple revoked the developer’s certificate, preventing the program from installing if users downloaded the update. Transmission removed the malicious version of its software from the website and began work on a clean version. On Sunday Transmission released a new version that will automatically remove the ransomware from the infected computers.

Unfortunately for Apple and Apple customers alike, attacks and malwares such as this are likely to only become more common in the future. While this is the first ever fully functioning piece of ransomware to attack Mac computers, there was a piece of ransomware found on Macs in 2014 named FileCoder that was incomplete, as use of Apple devices becomes more common, the incentive for criminals to attack those devices will increase.

Greg Day, Palo Alto Networks’ chief security officer for Europe, the Middle East and Africa said on the subject,

“We’ve seen more Mac threats in the last few years – it’s a very good reminder that there is no environment which is risk free from cyber attack.”