The act of replacing or modifying a legit file with a malicious one, and then running legit code to make it look like nothing’s wrong, is not new on macOS. In fact, the first real Mac ransomware, KeRanger, was spread through a modified copy of the Transmission torrent app. Palo Alto Threat Intelligence Director Ryan Olson said the 'KeRanger' malware, which appeared on Friday, was the first functioning ransomware attacking Apple's Mac computers. 'This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,' Olson said in a telephone interview.
The scourge of ransomware has finally come to OS X! Researchers at the security firm Palo Alto Networks have announced that version 2.90 of the Transmission bittorrent client for Mac OS X has been adulterated with a new ransomware variant they have named KeRanger. Users on the Transmission forum and a message on the front page of the Transmission website confirm this:
- Keranger: the first “in-the-wild” ransomware for Macs. But certainly not the last. Keranger was the first – but now experts see ransomware-as-a-service that enables interested “customers” to.
- First known Mac ransomware reaches the wild. KeRanger will force you to pay digital cash to use your computer. Jon Fingas, @jonfingas. March 6, 2016 Comments. Sponsored Links.
Techmeme: First Known Ransomware For Mac Os
According to Palo Alto Networks, the malicious installer was generated on March 4, and once installed, will wait 3 days after infection before encrypting the victim's files. This means that the first victims won't notice they are affected until at least March 7. Once activated, the ransomware connects to a Command & Control server over the TOR network and will then begin to encrypt certain types of files. It will then demand a ransom of 1 bitcoin, or about $400 USD, to receive a decryptor.
Very little information is available at this point regarding how the Transmission installer was compromised. It is known, however, that the ransomware is signed with a valid Mac developer's certificate, which is now revoked by Apple. This certificate has a listed owner of POLISAN BOYA SANAYI VE TICARET ANONIM SIRKETI (Z7276PX673), which is not the certificate for the legitimate Transmission developer.
Apple has already released a signature update for their XProtect antimalware software, and due to the revokation of the abused certificate, OS X will refuse to execute malicious installers signed by it.
Palo Alto Networks has also posted instructions for users who believe they might be infected, towards the bottom of their announcement article. The developers of Transmission recommend that users install version 2.91, which will attempt to detect and remove the infection.
Unfortunately, at the time of this writing there are no antimalware scanners that are currently detecting either of the affected installers:
- VirusTotal results for malicious installer #1
As this ransomware is further analyzed, we will be sure to post about it here.
Apple Inc customers were targeted by hackers over the weekend in the first campaign against Macintosh computers using a pernicious type of software known as ransomware, researchers with Palo Alto Networks Inc told Reuters on Sunday.
Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.
Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft Corp's Windows operating system.
Palo Alto Threat Intelligence Director Ryan Olson said the 'KeRanger' malware, which appeared on Friday, was the first functioning ransomware attacking Apple's Mac computers.
'This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,' Olson said in a telephone interview.
Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.
When users downloaded version 2.90 of Transmission, which was released on Friday, their Macs were infected with the ransomware, the blog said.
An Apple representative said the company had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. The representative declined to provide other details.
Transmission responded by removing the malicious version of its software from its website (www.transmissionbt.com). On Sunday it released a version that its website said automatically removes the ransomware from infected Macs.
The website advised Transmission users to immediately install the new update, version 2.92, if they suspected they might be infected.
Palo Alto said on its blog that KeRanger is programmed to stay quiet for three days after infecting a computer, then connect to the attacker's server and start encrypting files so they cannot be accessed.
After encryption is completed, KeRanger demands a ransom of 1 bitcoin, or about US$400, the blog said.
Olson, the Palo Alto threat intelligence director, said that the victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission's site.
Representatives with Transmission could not be reached for comment.
Egyptian archaeological mission discovers Roman fort remains in Aswan
5 days ago
FIFA announces ticket prices for World Cup matches in Qatar, starting from LE50
5 days ago
Al-Azhar slams ‘irresponsible’ comments by Greek Archbishop on Islam
4 days ago
Egypt places 2nd on 2021 list of Middle East military strength
6 days ago
We won’t accept de facto policy on GERD, says Sudanese PM
6 days ago
‘Trial marriage’ is invalid, says Egypt’s Dar al-Iftaa
5 days ago
Amid virus surge, EgyptAir sets new travel procedures for UK and France
Techmeme: First Known Ransomware For Mac Computers
6 days ago
2 Egyptian women to stand new trial over TikTok dance videos
1 week ago
EgyptAir requires US and UK travelers to present negative COVID-19 test before boarding
1 week ago Copy base.
World Health Organization calls on Egypt to review data on coronavirus infections and deaths
2 weeks ago
Egypt signs MOU with Siemens for US$23 billion high-speed train line: cabinet
Techmeme: First Known Ransomware For Mac Download
2 weeks ago
Egypt to construct the Cairo Eye, Africa’s largest Ferris wheel
2 weeks ago