According to security experts, the first ransomware targeting Macs contained hints that the cyber-criminals were working on a way to encrypt backups in an attempt to force payment. The researchers also said that the attack code included a non-working “stub” function labeled “_encrypt_timemachine.”
“We believe that they had plans to finish (the function) at some point,” stated Ryan Olson, director of threat intelligence. “But they went live a little earlier than they expected.”
The security researchers Claud Xiao and Jin Chen who discovered KeRanger last Friday, just hours after it reached the wild, and completed their analysis Saturday. The experts turned to Apple to alert the Cupertino, Calif. company of their findings. By the end of the week, Apple had revoked the digital certificate used to sign the malware, and the company whose free Mac BitTorrent client had been used to distribute the attack code, had removed the tainted version and issued an update to scrub the ransomware.
Due to the fact that KeRanger contained a three-day, hard-coded delay before executing, the researchers’ dedicated work resulted in these few if any Mac users who had their files locked up, and so did not have to hope they had backups or the $400 to pay the extortionists.
However, the hackers were more ambitious than most, so they planned to create code which would have encrypted not only more than 300 file types stored on a Mac’s internal hard drive, but also on any Time Machine backups.
Time Machine is the backup software baked into OS X. Although Time Machine works with any external drive, Apple sells its own Time Capsule backup devices. As Time Machine is essentially fire-and-forget once enabled, it’s a very popular choice for Mac owners for backing up the contents of their desktop and notebook computers’ storage drives.
According to Thomas Reed, director of Mac offerings, “Ransomware is a very profitable criminal activity. It’s the biggest money maker,” Reed continued, of the many ways criminals try to monetize their malware.
Ransomware has victimized PC owners for more than a decade, and while it has, like all malware, changed since it debuted, ransomware has some basic properties. For instance, if a computer is infected, the code encrypts all or parts of a drive, typically by selecting the most valuable file types, like Microsoft Word or Excel documents. After that, it shows a message demanding payment for the key that will decrypt the data. Increasingly, that payment is in the form of Bitcoin, the digital currency.
KeRanger wanted one Bitcoin, or approximately $412 at Monday’s exchange rate.
In order to avoid paying such extortionists, users should restore the system using recent backups.
Ransomware writers now typically disable Windows’ “System Restore” feature, which regularly takes snapshots of the PC, then lets the user return to that milestone. It’s less common for ransomware to explicitly target backups on Windows, however, perhaps because the operating system’s integrated Backup functionality is little used and scores of alternatives vie for market share.
According to Reed, “Some Windows ransomware will encrypt backups as well as the main drive.”
In addition, he said that Time Machine backups are “infamously fragile,” and it’s possible that had the hackers implemented an encrypt-all-external-backups feature in KeRanger, users would have found their backups trashed, not just locked up. In that case, paying the ransom wouldn’t have done any good, at least for the backups.
“As long as you’re respectful of it, and using Time Machine to do restoration, you’re good. But if you go messing with Time Machine backups with another app, you can break the whole thing, so you can’t restore at all.”
Olson and Reed agreed that while there may not be much that Apple could do to prevent Time Machine backups from being encrypted by hacker, KeRanger would have spotted any drive “mounted” to the Mac, a task that Time Machine does in the background when it initiates a scheduled backup. Mac users can recover a ransomware-locked system if they have multiple backups.