KeRanger, The First Ever Ransomware For OS X Platform Discovered By Security Experts
Cyber security experts from Palo Alto Networks have managed to unearth the first ever ransomware that was developed for OS X operating systems that run on Mac devices from Apple. While it’s not uncommon for ransomware to affect smartphones and Windows PCs, it’s the first instance someone has developed a ransomware to affect Macs. The ransomware is called “KeRanger†and it managed to piggyback itself on the Transmission BitTorrent client. Transmission is a legit application for OS X that helps you download torrents, but unfortunately it’s also an open source one which means anyone could have added the KeRanger coding to the DMG files (Apple Disk Image files same as installation files on PCs).
The problem began on March 4th when the attackers managed to successfully infect two installers of Transmission (version 2.90) with KeRanger. The now malicious app managed to avoid Apple’s Gatekeeper protection since it was signed with a legitimate Mac app development certificate. The malicious code was cleverly hidden by the attackers in a Mach-O format executable file that looked like an RTF file that generated a service without the user’s knowledge. Once the file got unpacked it was instructed to sit idle for three days. Once the waiting time was over, the service contacts its command and control servers over the Tor network which makes identification of its attacker’s location almost impossible.
Once it establishes contact, the KeRanger begins to slowly encrypt certain types of document and data files on the system. Once the encryption is complete the KeRanger demands that the victims pay one bitcoin whose value is estimated to be around 400 USD to a specific address to unlock their files. One of the interesting things that the folks from Palo Alto Networks picked up was that the malicious app was still under development as there were efforts to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
Once they uncovered the KeRanger the team from Palo Alto Networks reported the fact to Apple and the Transmission project. Apple was quick to revoke the security certificate used to legitimise the malicious app. Apple also updated the XProtect antivirus signature to help users identify the app. The team from Transmission did their part by removing the infected installers from its website. So the trouble appears to be over but who knows the attackers might find another way to sneak in somehow.
Source: #-Link-Snipped-# via <a href="https://www.reuters.com/article/us-apple-ransomware-idUSKCN0W80VX?feedType=RSS&feedName=technologyNews" target="_blank" rel="nofollow noopener noreferrer">Mac ransomware caught before large number of computers infected | Reuters</a>
The problem began on March 4th when the attackers managed to successfully infect two installers of Transmission (version 2.90) with KeRanger. The now malicious app managed to avoid Apple’s Gatekeeper protection since it was signed with a legitimate Mac app development certificate. The malicious code was cleverly hidden by the attackers in a Mach-O format executable file that looked like an RTF file that generated a service without the user’s knowledge. Once the file got unpacked it was instructed to sit idle for three days. Once the waiting time was over, the service contacts its command and control servers over the Tor network which makes identification of its attacker’s location almost impossible.
Once it establishes contact, the KeRanger begins to slowly encrypt certain types of document and data files on the system. Once the encryption is complete the KeRanger demands that the victims pay one bitcoin whose value is estimated to be around 400 USD to a specific address to unlock their files. One of the interesting things that the folks from Palo Alto Networks picked up was that the malicious app was still under development as there were efforts to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
Once they uncovered the KeRanger the team from Palo Alto Networks reported the fact to Apple and the Transmission project. Apple was quick to revoke the security certificate used to legitimise the malicious app. Apple also updated the XProtect antivirus signature to help users identify the app. The team from Transmission did their part by removing the infected installers from its website. So the trouble appears to be over but who knows the attackers might find another way to sneak in somehow.
Source: #-Link-Snipped-# via <a href="https://www.reuters.com/article/us-apple-ransomware-idUSKCN0W80VX?feedType=RSS&feedName=technologyNews" target="_blank" rel="nofollow noopener noreferrer">Mac ransomware caught before large number of computers infected | Reuters</a>
0