Endpoint Protection

 View Only

KeRanger: First Mac OS X ransomware emerges 

Mar 07, 2016 12:03 PM


New malware known as KeRanger (OSX.Keranger) appears to be the first ransomware to target the Mac OS X operating system. KeRanger was briefly distributed in a compromised version of the installer for the Transmission BitTorrent client. Mac OS X users who downloaded Transmission on March 4 and March 5, 2016 may be at risk of being compromised.

While KeRanger is designed for Mac OS X, its behavior is quite similar to Windows-based ransomware, particularly TeslaCrypt (Trojan.Cryptolocker.N). Once installed, KeRanger will search for approximately 300 different file types and encrypt any it finds. The malware will then display a ransom message, demanding that the victim pay 1 bitcoin (approximately US$408). Payment is made using a website on the anonymous Tor network.

KeRanger was signed with a valid Mac Developer ID, which meant that the malware could bypass OS X’s Gatekeeper feature, which is designed to block software from untrusted sources. Apple has since revoked the Developer ID used by KeRanger.

Given the popularity of Apple devices, it was only a matter of time before the emergence of ransomware affecting Mac OS X. There had been instances of malicious websites targeting Safari for Mac OS X users. In these cases, the sites used JavaScript to cause Safari to display persistent pop-ups, informing the user that their browser had been “locked” by the FBI for viewing illegal content. However no malware specifically targeting Mac OS X had appeared before now.

In November 2015, a proof-of-concept (PoC) threat known as Mabouia (OSX.Ransomcrypt) was developed by Brazilian cybersecurity researcher Rafael Salema Marques to highlight the fact that Macs may not be immune to the threat of ransomware. Marques shared a sample of the ransomware with Symantec and Apple. Symantec’s analysis confirmed that the PoC was functional. While the threat could be used to create functional Mac OS X crypto ransomware if it fell into the wrong hands, Marques said he has no intention of publicly releasing the malware.

Potential menace
While KeRanger was only briefly distributed through compromised software, Mac users should not be complacent. The attackers behind the threat may attempt to find other distribution channels. Additionally, the success of these attacks may inspire other groups to create Mac OS X ransomware variants.

Tips on protecting yourself from ransomware

  • Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed. See here for instructions on how to restore files backed up using Apple’s Time Machine solution
  • Always keep your security software up to date to protect yourself against any new variants of malware.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.

Further reading
To find out more about threats affecting Mac OS X and other Apple platforms, download and read our whitepaper: The Apple Threat Landscape

Symantec and Norton products protect against KeRanger with the following detections:


Intrusion Prevention System

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.