Since Apple famously introduced the Macintosh over three decades ago, Mac users have been confident that their computers are virtually immune to ransomware and other malware threats which plague their Windows counterparts. But those days are over.
On March 4, researchers at security firm Palo Alto Networks detected what they believe is the first “fully functional” ransomware attack aimed exclusively at Apple’s OS X operating platform.
Dubbed KeRanger, the ransomware code was discreetly piggy-backed onto a routine update of Transmission, a popular BitTorrent client (a free Mac utility enabling rapid download/sharing of large files). After lurking on an infected Mac for three days, KeRanger encrypts all or part of a Mac hard drive before demanding an untraceable payment of one Bitcoin (currently the equivalent of about $400) to restore access to the scrambled files.
Hack a Mac? Just Fool the Gatekeeper
Macs are generally less susceptible to viruses and malware thanks to Gatekeeper, a built-in OS X defense feature that rejects software downloads which don’t include an Apple Developer ID—essentially Apple’s digital certification for a third-party app they declare legitimate and harmless. In the case of KeRanger, it was fraudulently coded with a Developer ID (Z7276PX673) that had been previously assigned to a software developer in Turkey, enabling it to bypass Gatekeeper and infect the Mac’s hard drive. (How the Turkish company’s Apple certificate apparently fell into the wrong hands is still under investigation.)
After isolating the bogus Developer ID on the morning of March 4, Palo Alto Networks immediately notified Apple, who quickly revoked KeRanger’s certification. The Transmission homepage has also replaced the tainted version of the app with a “clean” update. It was determined that KeRanger was only “in the wild” (at-large and uncontained) within a relatively small window between 11 a.m. March 4 and 7 p.m. March 5.
It Could Have Been Worse
In their haste to begin extorting victims as soon as possible, KeRanger’s developers didn’t complete an additional section of code that would have disabled Time Machine, an OS X feature that restores users’ backup files stored on an external drive—similar to the automated System Restore function in Windows. If they’d spent a little more time refining their “launch version” of ransomware, even backup files would have been hopelessly encrypted without that $400 payoff.
If you’re a Mac user who doesn’t use the Transmission app, you dodged a bullet. But the KeRanger incident is a serious blow to OS X’s reputation as the “hack-proof” operating system. As we’ve discussed, ransomware schemes are the fastest-growing form of cybercrime today, and it was only a matter of time before Macs became a target.
For more information on ransomware and more of the latest emerging cyberthreats, contact us today.