Mac Ransomware Is Real: How to Protect Yourself
UPDATED 1 pm ET March 8 to add analysis of KeRanger code by Bitdefender.
Mac encrypting ransomware has been discovered packaged with a popular BitTorrent client, marking the first time any form of ransomware targeting Apple's OS X has appeared in the wild.
Fortunately for Mac users, the risk of infection is small. You'd have to have installed version 2.90 of the Tranmission BitTorrent software this past Friday or Saturday. The infected installer file was replaced with a clean version, 2.92, on Sunday, and Apple has updated its XProtect antivirus software to block the ransomware Trojan.
However, this certainly won't be the last piece of Mac ransomware. It's yet another reminder that Mac users face the same types of threats as Windows PC users — albeit at a smaller scale — and need to take the same precautions.
The ransomware was discovered this past Friday (March 4) by Santa Clara, California-based security firm Palo Alto Networks, which dubbed the malware "KeRanger" and alerted both Apple and the developers of Transmission right away.
"We believe KeRanger is the first fully functional ransomware seen on the OS X platform," Palo Alto Networks' Claud Xiao and Jin Chen wrote in a company blog posting yesterday (March 6).
Once installed on a Mac, KeRanger lies dormant, then after three days begins encrypting files in the "Users" directory and posts a notice demanding one bitcoin (about $400 at current exchange rates) to free the files.
Transmission is an open-source project to which anyone can contribute code. It appears criminals took advantage of this fact and "trojanized" the software by repackaging a legitimate Transmission installer disk image (.dmg) with an additional file called "General.rtf," which appeared to be a Rich Text Format file but was in fact an OS X executable file.
To get past the default settings of Gatekeeper, OS X's app-inspecting software, all applications must be "signed" with a digital certificate of authenticity issued by Apple to approved software developers. Transmission has its own certificate, but the KeRanger makers instead used one stolen from a Turkish software developer.
If you did download or update Transmission on Friday or Saturday, you'll need to update it to version 2.92, now available on the Tranmission site. Installing the new version will remove the infected one.
However, the executable ransomware may already be active in your system. To flush it out, Palo Alto Networks recommended taking the following steps:
1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
2. Using "Activity Monitor" preinstalled in OS X, check whether any process named "kernel_service" is running. If so, double check the process, choose the "Open Files and Ports" and check whether there is a file name like "/Users/<username>/Library/kernel_service". If so, the process is KeRanger’s main process. We suggest terminating it with "Quit -> Force Quit".
3. After these steps, we also recommend users check whether the files ".kernel_pid", ".kernel_time", ".kernel_complete" or "kernel_service" existing in ~/Library directory. If so, you should delete them.
If KeRanger has already begun encrypting your files and you're seeing a ransom note, don't pay. Instead, restore your system from Time Machine or another backup solution. (You did back up your Mac, didn't you?)
There is code inside KeRanger to encrypt Time Machine backups as well as file on the main hard disk, but the Palo Alto Networks researchers didn't think that function had yet been activated.
All Mac users should make sure their build of OS X is fully up to date, as Apple has pushed out updates that block KeRanger from running and revoked the stolen Turkish developer certificate.
Most Mac users should be running their Gatekeeper software at one of the two higher settings, allowing installation of software from the Mac App Store or from the Mac App store and "identified developers." (The latter setting is the default.) The KeRanger criminals got past that setting with the stolen certificate, but it will keep out most malware.
Ransomware began infecting Windows users en masse in 2010, but was mostly an annoyance until CryptoLocker appeared in late 2013. Instead of simply locking the screen, Cryptolocker encrypted user files before demanding a ransom, and users who hadn't backed up their systems had no choice but to pay up.
Since then, encrypting ransomware has run rampant across the world, generating hundreds of millions of dollars in cash for crooks and leaving many small businesses and local governments poorer. Last month, the Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 to free health records locked up by a ransomware attack.
Encrypting ransomware appeared for Android in 2014, but until now, Macs had been immune. In the summer of 2013, a browser-based screen-locking ransomware affected Macs as well as PCs, but was fairly harmless. A form of encrypting ransomware for Macs was discovered a year later, but it was unfinished and non-functional.
UPDATE: Romanian antivirus firm Bitdefender analyzed KeRanger's code and found that KeRanger was a rewritten version of Linux Encoder, a strain of encrypting ransomware that has infected thousands of Web servers running Linux since December 2015.