A security company reported a brand new discovery about the world’s first ransomware which specifically attacks OS X machines.
“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” security researcher Ryan Olson stated. In addition, Olson said that he expected more Mac ransomware to proliferate.
“It is a little bit surprising because ransomware has been so incredibly popular for Windows, and mobile platforms,” he said. “It’s now of the most popular criminal business models. The fact that it hasn’t made it to Mac shows that it’s had a great amount of success on the Windows side. But the fact that [the malware] was distributed through a legit application demonstrates that we will see this again.”
The so called “KeRanger malware” imposes a 72-hour lockout window unless the victim pays 1 bitcoin, turns out to have been first discovered via a rogue version of Transmission, which is a well-known BitTorrent client.
Originally, this ransomware used to hit Windows machines, threatening total data destruction if the ransom isn’t paid. Not long ago, even a Los Angeles hospital was infected and they paid a $17,000 ransom for decrypting their systems.
Last June, the FBI reported about 992 victims of CryptoWall. This is a similar ransomware scheme, who have sustained combined losses totaling over $18 million.
During the weekend, a group of Transmission users noticed the strange activity on a discussion board. According to them, the 2.90 version of Transmission was infected with the ransomware. Looks like the Transmission website has been compromised as it was served via HTTP rather than the primary HTTPS Transmission website.
Transmission posted on its website:
“Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file.”
Here it is what the security experts Claud Xiao and Jin Chen wrote:
“The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.”
Apple has not made any comments on the issue yet.
In addition, Olson said that the rogue version was only live on the Transmission website for 36 to 48 hours, and said that “we don’t really know anything about that company” that was assigned that certificate.
In conclusion, the malware researchers stated:
“Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third-party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.”