First ever ransomware targets certain Apple users: Virus infects Mac OS
Some Apple users have been hit by a ransomware in what is known as the first ever attack on Macintosh computers. Some product customers received ransom demands for one bitcoin or about US$400 (AU$540) after their devices were infected with a malicious software.
Ransomware, which encrypts data on infected machines then asks owners to pay for ransom in exchange for the retrieval of their data, isn’t new. It has been around since the late ‘80s, though it has only gained traction in the recent years. However, this certain malware is thought to be the first to target Mac computers. Ransomware typically targets Microsoft Windows operating system users.
According to online security company Palo Alto Networks, the Transmission BitTorrent client installer for OS X was infected with ransomware. It has named it “KeRanger,” which the company believes is the first fully functional ransomware seen on the OS X platform.
The KeRanger application, which was infected on two installers of the popular open source program Transmission version 2.90 on March 4, was signed with a valid Mac app development certificate, which enabled it to bypass Apple’s Gatekeeper protection. Once the infected app is installed, an embedded executable file is run on the system. The ransomware then waits for three days before connecting with C2 servers over the Tor anonymiser network, and then it begins encrypting document and data on the system.
KeRanger then demands users pay the ransom of one bitcoin to an address to retrieve their files. Palo Alto adds that the malware appears to be still under development and is attempting to encrypt Time Machine backup files, which would prevent its victims from recovering their backup data.
Apple has since been informed. A rep said the company had taken steps to prevent further infections by revoking a digital certificate that enabled KeRanger to install on Macs. The Transmission Project also removed the infected installers from its website on March 5.
Those who have directly downloaded Transmission after 11 am PST on March 4 (5 am AEST on March 5) and before 7 pm on March 5 (1 pm AEST on March 6) may have been infected by KeRanger. Palo Alto Networks has step-by-step guide on what to do for users who have been victimised by the virus.