It was only a matter of time before a fully functional Mac ransomware was developed. Researchers at Palo Alto Networks have discovered that time has now come, after its Unit 42 team found KeRanger: The first fully functional Mac ransomware to be discovered in the wild. The ransomware was spread via the Transmission file-sharing app.

Fortunately, action has been taken to contain the malicious software before it could be fully exploited; however, this signals a turning point for Apple users. Their devices are no longer safe from ransomware attacks.

Mac Ransomware is No Longer Theoretical

While a Mac ransomware called FileCoder was discovered by Kaspersky Lab in 2014, the malicious software was incomplete and could not be used to infect Apple devices. The discovery of KeRanger shows that Apple users are no longer immune to attack.

Apple has added the signature for the malicious software to its XProtect OS X anti-malware definitions However, any Apple customer that downloaded BitTorrent client Transmission (v 2.9) over the weekend (Between 11:00 PST on March 4, and 19:00 PST on March 5, 2016) could well have downloaded KeRanger, along with any customer who downloaded the file sharing app prior to March 4.

The Mac ransomware bypassed Gatekeeper controls by using a genuine security certificate. The certificate was issued to Polisan Boya Sanayi ve Ticaret A.Ş., of Istanbul and is believed to have been stolen.

The ransomware was included in the Transmission installation files as “General.rtf.” The rich text file looks innocuous enough, but General.rtf is not a document file as the extension suggests, instead it is a Mach-O executable file. The file is copied to ~/Library/kernel_service and is run before the user sees an interface.

Once the ransomware has been activated, it searches the system on which it is installed and will encrypt around 300 different file types, including images, documents, multimedia files, emails, databases, certificates, archives, and source code. The Mac ransomware uses AES encryption to lock any files it finds and is capable of encrypting files saved on connected networks and external drives.

In many cases, ransomware infections cannot be removed and the user is forced to pay a ransom to obtain a security key. However, locked files can potentially be restored from backups. Unfortunately for users infected with KeRanger, the Time Machine system files are also encrypted preventing backup files from being restored.

The Threat Has Been Neutralized Although Action Must Be Taken by Transmission Users

The new Mac ransomware has been neutralized by the revoking of the digital certificate that enables the software to install on OS X, while the developers of Transmission App have removed the infected version from the transmissionbt.com website.

According to Claud Xiao of Palo Alto Networks, if KeRanger has been installed, users will still be at risk of having their files encrypted.  The latest version of Transmission will remove the ransomware if it has been installed on users’ Macs.

Any customer who has installed version 2.9 should download the updated version of the file sharing software as soon as possible to prevent their device from being locked by the file-encrypting malware.

Users only have a limited timeframe for doing this. The Mac ransomware will stay hidden and quiet for 3 days following infection. After that it will connect to its C&C and will start encrypting files on the infected device and connected drives. A ransom of 1 Bitcoin (around $400) will then be demanded by the attackers. Only if the ransom is paid will the security key be sent to unlock the encryption. Failure to pay will see files locked forever. Transmission users must ensure they have installed version 2.92 and need to reboot their device after installation.

Protecting Devices from Attack Using WebTitan Web Filtering Solutions

WebTitan Cloud can help enterprises keep their devices free from malware and ransomware by blocking the downloading of file types known to be used by hackers to install malicious software. It is also possible to prevent KeRanger installations by blocking access to file sharing websites. By limiting the actions that can be taken by users and the sites that can be visited, the risk of networks being compromised or infected with malware can be greatly reduced.

WebTitan Cloud and WebTitan Gateway web filtering solutions can reduce reliance on staff training to teach end users how to identify malware, phishing emails, and malicious websites. Blocking risky online behavior can significantly reduce the risk of malware and ransomware infections.