Archer

A first-of-its kind Mac hack leaves some users nervous.

Word of a new online attack spread quickly to people using Apple computers.

Malicious hackers found a way to get ransomware onto the Mac operating system, reported Palo Alto Networks this week

If you use software from a site called Transmission, you might end up with a demand note on the screen of your Apple computer, and a price tag of about $400 to get your files back, researchers said. 

“My first thought was, ‘Crap. I use that software. That could be me,’” said a Mac user we’ll call R.J. “My second thought was, ‘Crap. They’ve moved to the Mac platform, too.’”

The Mac operating system is considered to be more secure than others, and less of a target for attackers. But that may be changing. 

“This is the first distribution of ransomware on the OS X [current Mac operating system] platform in the wild, and the first large-scale one,” said Daniel Lance with Archer Security Group. 

“I think Apple users will become more targeted in the future because up until now there were very few successful malware attempts,” said Liviu Arsene with Bitdefender in the Wall Street Journal.

“There’s blood in the water and sharks will come,” he said in the article.

Transmission

People use sites like Transmission to download software so they can use BitTorrent for transferring large files.

BitTorrent breaks up large files into many small chunks so they can be sent quickly over the Internet.

“Think of it like moving a bowling ball down a single garden hose,” said R.J. “If, instead, you could break the bowling ball up into marbles and use a bunch of garden hoses at once, you could in theory move the whole thing at once.”

Some people use it for pirating movies, music and more.

Transmission attack

In this case, the attackers first hacked into Transmission’s main server, reported Reuters, then inserted the poisoned software for other people to download. 6,500 people did, according to a Transmission spokesperson.

Once it is on your Mac, it sleeps for three days, then begins encrypting your files, Palo Alto Networks researchers said.

They called the ransomware “KeRanger.”

KeRanger can encrypt your pictures, videos, documents and more, changing the extension to “.encrypted,” said Anton Cherepanov with ESET in We Live Security.

It then makes a text file with the ransom note in all the folders with the encrypted files, he said.

“I wouldn’t have paid,” said R.J. “I’ve been burned by lost hard drives, water damaged laptops, etcetera, before, so I keep offline and encrypted cloud backups of my files. I’d just take the hit and rebuild my system. But I’m probably not the average person.”

How did it get through?

KeRanger rode through Mac defenses on a valid developer’s certificate issued by Apple, said the Palo Alto Networks researchers. Apple has now revoked the “abused” certificate. 

This siege required expertise, said Lance.

“This wasn’t an overnight operation,” he said. “They had to build a version of the software the user was expecting to download, and displayed a large understanding of OS X security to even get the program to run.”

He said the attack may have started long ago.

“I would have to guess the server was compromised at a much earlier date, while the ransomware was built after figuring out how to get their own copy of the program installed on client machines,” he said.

Wake-up call?

Ransomware hackers usually focus on systems other than Mac OS X, where they will make more money. 

Apple computers only made up 7% of the world market share in 2015, according to Gartner.

But some cybersecurity experts say the attack focus may soon change.

 The malware analyzed by Palo Alto Networks looks like it is still in development, researchers said, with capabilities that have not yet been used.

“It’s a clear indication that they’re trying to make Mac ransomware as evil as Windows ransomware and they could be continuing to work on it,” said Arsene in the Wall Street Journal.

“Six months ago, ransomware was a threat that only Windows and Android users had to worry about,” wrote Bitdefender in a post.

“It should be a loud wake-up call to those still blissfully unaware,” wrote Richi Jennings in Computerworld.

Short-lived

The attackers installed KeRanger on the Transmission server on the morning of March 4, researchers said. Palo Alto Networks detected it a few hours later and notified Apple and Transmission, and by March 5, Transmission had removed it and bolstered defenses. Apple updated its malware protection to keep KeRanger out, the researchers said.

Transmission warned people on its home page that they needed to install the new version of the software immediately.

Researchers provided directions for people whose Macs may be infected, saying if you downloaded the Transmission installer from the official website between 11:00 am PT on March 4 and 7:00 pm PT on March 5, you may be in danger and should check your system.

They also recommend that people who downloaded the Transmission installer before then, or from a third-party site, should also check to see if the ransomware is in your system.

ESET also provided information on how to check for the malware on your system.

Long-term

The Transmission software was not available through the Mac app store, said Apple in USA Today.

“All apps sold via the Mac Apple app store are rigorously vetted for safety and are thus less prone to malware and other dangers,” the company said in the article. “The discovery of the ransomware underscores the security issues that can come from buying apps outside of Apple’s control.”

But some users are still concerned.

The bad guys apparently used a stolen or forged certificate to make it look legitimate, noted R.J.

I’m worried that any software could suffer the same problem,” he said. “I can say that it has made me reconsider updating software immediately like have done in the past. I’ll wait at least a couple of days unless it’s a critical security fix.”

And now?

“More frustrated than anything,” said R.J. “In many ways [the Mac platform] is safer, but it’s certainly not immune.”