First Successful Mac OS X ransomware? KeRanger

Share Your Thoughts: Facebooktwitterlinkedin

The price difference between an Apple computer and a Windows PC in 2008 was $1,500 to $700 respectively. Cyber SecurityToday, a standard MacBook costs roughly $999. This includes 128GB of storage, an Intel Core i5 processor, 4 GB of RAM and Intel HD Graphics 6000. A comparable PC is the Dell XPS 13, priced at $799. Features include: Intel Core i3 processor and Intel HD graphics 5500.

Both Apple and Microsoft have incredibly loyal customers. But, why do some consumers choose the more expensive route of a Mac? One reason is security. Apple products are considered to have advanced built-in security features.

Recently however, the Mac OS X has been the target of ransomware.

Enterprise-level security solutions provider Palo Alto Networks was the first to spot the malware. According to the company’s blog, the attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. The installers were signed with a legitimate certificate issued by Apple which allowed the code to bypass Apple’s Gatekeeper protection.

Ransomware is software that hijacks a computer, and locks a user’s files until a ransom is paid. The program in question, dubbed KeRanger, requires victims to pay in Bitcoin to retrieve their files.

See: Apple has shut down the first fully-functional Mac OS X ransomware

According to Bitdefender researchers, the trojaned Transmission torrent client update KeRanger racks up a number of firsts:

  • the world’s first piece of fully functional Mac OS X ransomware
  • first Mac OS X malware distributed via a signed software update from a legitimate developer
  • first cross-platform ransomware ever

A closer look at the KeRanger ransomware Trojan reveals that it is actually a Mac version of the Linux.Encoder Trojan.

The folks at Bitdefender go on to say:

“Six months ago, ransomware was a threat that only Windows and Android users had to worry about. In December last year, the world’s first piece of Linux ransomware was spotted in the wild after encrypting thousands of webservers. Fortunately, Bitdefender researchers could circumvent the encryption algorithm and provide decryption utilities for all four variants in the wild. It seems that the developers behind the Linux.Encoder malware have either expanded to Mac OS X or have licensed their code to a cybercrime group specialized in Mac OS X attacks.”

“It is worth emphasizing that nothing short of a fully-fledged, native MacOS X security solution with real-time, behavior-based detection techniques could have saved MacOS X users from having their systems infected and their files encrypted. There is more, much more, to security than merely disallowing unsigned software” Catalin Cosoi

Palo Alto Networks: How to Defend Yourself

Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may have been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.

Palo Alto Networks suggests users take the following steps to identify and remove KeRanger:

  1. Using either Terminal or Finder, check whether /Applications/ General.rtf or /Volumes/Transmission/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
  2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/<username>/Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
  3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.

Read the full statement from Palo Alto Networks Research Center

Firestorm Cyber Breach Response Roadmap

Today, 80 percent of the value of corporate assets has shifted from physical to virtual. This includes: hardware, network infrastructure, software, data in electronic and physical form and human knowledge. Is your company prepared to have all knowledge compromised?

Even though the criminal breaks in to your systems and steals intellectual data, you’re still liable.

– Jim Satterfield, Firestorm President, Founder and COO

Following the five steps in the Firestorm Cyber Breach Response Roadmap will help reduce the impact of a breach.

Phases of activation

RELATED: Firestorm to hold its second Virtual Cyber Breach Stress Test exercise on April 19

In a recent Firestorm webinar and in the corresponding brief, the issue of cyber security was explored.

Firestorm President, Jim Satterfield discussed how:

  • The chance of a cybersecurity breach to your business increases every day.
  • Phishing is one of the means to a cyber breach.
  • If this happens, your business will be impacted at many levels: the human level, the operational level, the reputational level and the financial level.

A cyber breach can negatively impact both personal and professional life. You cannot rely solely on built-in security features to protect intellectual data. Every crisis is a human crisis; therefore, computers must not be scapegoats during cyber issues. The issue lies with the person in the chair.

How are you protecting your data from cyber crime?

Share Your Thoughts: Facebooktwitterlinkedin