Ransomware in Mac Attack

Tuesday, March 8, 2016 @ 03:03 PM gHale


An attacker was able to get into the Transmission BitTorrent client for Mac, infecting it with a fully functional ransomware that targets Mac computers, researchers said.

The infection occurred on March 4, and researchers from Palo Alto Networks said someone hacked the official Transmission website and replaced the legitimate Transmission client for Mac version 2.90 with one that included the KeRanger ransomware.

RELATED STORIES
Ransomware Targets Android Users
Exploiting a Flaw in Ransomware
Ransomware Locks Files, Tosses Key
Ransomware Spreads Via Exploit Kit

Mac users have never been targeted with a fully-working ransomware family until now, researchers said.

KeRanger is a carbon copy of crypto-ransomware families currently targeting Windows and Linux machines, Palo Alto Networks researchers said.

The ransomware uses AES encryption to lock files, targets over 300 file extension types and demands a 1 Bitcoin payment ($400). Payment must be made in Bitcoin over a Dark Net site.

After infecting users, KeRanger will lay in wait for three days before starting its encryption process, the researchers said. This means that some of the people that downloaded the infected Transmission BitTorrent client since March 4 may still have a chance at removing the ransomware from their Mac before their data ends up encrypted.

Palo Alto provides removal instructions on their site. Once the encryption process is started, files cannot end up recovered unless the victim pays the ransom, or they have backups of their data.

Researchers that looked at the ransomware’s source code are also saying KeRanger includes unfinished features which in future versions will also target and encrypt Time Machine files, making it impossible to recover files from older system backups, researchers said.

Another feature would allow attackers to run commands on infected computers, making KeRanger a ransomware and a backdoor malware at the same time.

KeRanger was also using a stolen certificate to sign its code, which allowed it to bypass Apple’s GateKeeper protection system. Apple has revoked the certificate and also updated the XProtect antivirus signature to protect future victims from infection.

The Transmission open-source project removed the malicious binaries from their site and issued a new version of their Mac client, version 2.92.