After Years of Success in Windows, Ransomware Makes Its Debut in Apple Computers

37_Macbook
Apple is rumored to be adding new features to the next generation of MacBooks. REUTERS/Brendan McDermid

Ransomware, a rising form of malware that encrypts the targeted computer’s files and then asks the owner for ransom, has finally breached the walls of Apple’s OS X.

In a first for Apple, Palo Alto Networks, a security research firm, discovered a new ransomware called KeRanger that has targeted MacBook users who were downloading the latest version of a popular BitTorrent client—a software that allows users to easily share and download files from one another—called Transmission. Anyone who has downloaded the new version on March 4 and 5 have possibly downloaded KeRanger.

Ransomware has made the news last month for holding the data that ran a Los Angeles hospital hostage. After moving its emergency patients to nearby hospitals, the hospital coughed up $17,000 for the encryption key.

KeRanger is the first known case of a ransomware targeting Apple operating systems. Ransomware has been largely successful in Windows computers for the last few years. Hackers generally strayed away from Macs because it they had a smaller market share than Windows, and thus fewer ransoms to harvest.

Cybersecurity analysts do not know the exact number of affected Mac users because KeRanger lies dormant for about 72 hours after it has been downloaded. The gravity of this ransomware will be fully unveiled by Wednesday morning, but some cybersecurity researchers have already called this a likely dud with less than 7,000 users affected. Nonetheless, KeRanger sets a scary precedent for future hackers to follow.

KeRanger targets the owner’s most valuable data and encrypts it after lying dormant. Without a key, the owner won’t be able to retrieve the data unless they pay one bitcoin worth over $400 to the hackers. Experts believe KeRanger snuck its way into Transmission because Transmission is an open-source project. KeRanger had Apple’s developer certificate at the time, a certification that enables MacBook users to download software without warnings.

The waiting period for the software is part of the trap. “If I were to download Transmission today and install it, and five minutes later, all my files were encrypted, savvy users would notice the connection to the Transmission download. They’d tweet about it, complain on forums and Transmission would know about it and take it down,” says Palo Alto Networks director of threat intelligence Ryan Olson to the cybersecurity blog ThreatPost. “The waiting period avoids that connection being made on the users’ behalf.”

Apple and Transmission have both taken swift action in preventing more victims. Transmission has put up a warning notice on its website and since removed the malicious installers from its software.

Meanwhile, Apple has revoked Transmission’s developer certificate. If one tries to download the software on a Mac, the computer will warn about downloading a harmful software. Apple confirmed with Newsweek that the certificate has been pulled and it has updated its built-in anti-malware functionality called XProtect to prevent more damage.

For those who may be affected by KeRanger, experts at Palo Alto Networks recommend weeding out relevant KeRanger codes by going into Terminal or Finder (detailed instructions are listed here under the “How to Protect Yourself” section ) and turning off auto updates for Transmission to prevent future ransomware.