New malware known as KeRanger (OSX.Keranger) appears to be the first ransomware to target the Mac OS X operating system. KeRanger was briefly distributed in a compromised version of the installer for the Transmission BitTorrent client. Mac OS X users who downloaded Transmission on March 4 and March 5, 2016 may be at risk of being compromised.
While KeRanger is designed for Mac OS X, its behavior is quite similar to Windows-based ransomware, particularly TeslaCrypt (Trojan.Cryptolocker.N). Once installed, KeRanger will search for approximately 300 different file types and encrypt any it finds. The malware will then display a ransom message, demanding that the victim pay 1 bitcoin (approximately US$408). Payment is made using a website on the anonymous Tor network.
KeRanger was signed with a valid Mac Developer ID, which meant that the malware could bypass OS X’s Gatekeeper feature, which is designed to block software from untrusted sources. Apple has since revoked the Developer ID used by KeRanger.
In November 2015, a proof-of-concept (PoC) threat known as Mabouia (OSX.Ransomcrypt) was developed by Brazilian cybersecurity researcher Rafael Salema Marques to highlight the fact that Macs may not be immune to the threat of ransomware. Marques shared a sample of the ransomware with Symantec and Apple. Symantec’s analysis confirmed that the PoC was functional. While the threat could be used to create functional Mac OS X crypto ransomware if it fell into the wrong hands, Marques said he has no intention of publicly releasing the malware.
While KeRanger was only briefly distributed through compromised software, Mac users should not be complacent. The attackers behind the threat may attempt to find other distribution channels. Additionally, the success of these attacks may inspire other groups to create Mac OS X ransomware variants.
Tips on protecting yourself from ransomware
- Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed. See here for instructions on how to restore files backed up using Apple’s Time Machine solution
- Always keep your security software up to date to protect yourself against any new variants of malware.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
- Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
To find out more about threats affecting Mac OS X and other Apple platforms, download and read our whitepaper: The Apple Threat Landscape
Symantec and Norton products protect against KeRanger with the following detections:
Intrusion Prevention System