KeRanger: New Mac OS X Ransomware
Yes, even Apple Macs are prone to getting malware, but this new malware identified over the weekend by Palo Alto Networks requires a set of unique circumstances. First, the ransomware infected the Transmission BitTorrent client-side installer for Mac OS X on the Transmission BitTorrent website. Palo Alto has named this ransomware "KeRanger". At first look, it would appear that the website may have been compromised and the attackers uploaded the malicious version to replace the legitimate, open source version. For our readers that may not be familiar with bitorrent, it is a peer-to-peer file sharing protocol for sharing files and large amounts of data. BitTorrent clients have legitimate and illegitimate purposes. Wikipedia has an animated GIF to demonstrate this concept. This ransomware was signed with a valid Apple developer certificate, which is troubling and is believed to have been stolen. Apple has since revoked this certificate, so if you attempt to open the Transmission app it will warn you. You should Trash the .app
Here is a quick summary of this Mac ransomware:
Am I Affected?
If you downloaded the Transmission BT installer (version 2.90) between the hours of 11am March 4th and 7pm March 5th, there is a high probability that you were affected.
How can I Protect Myself?
According to the Palo Alto report, there a few things users can do to check to see if their Mac is infected:
Here at Kemper, we regularly work with clients who have been fallen victim to ransomware attacks. Apple does have several built-in security technologies into OS X; however, with any security technology it is only one, small layer to protecting yourself. Apple does check files that are downloaded from the Internet (known malware only). For SOHO use, allowing apps to only be downloaded from the Mac App Store is a good practice for safeguarding against a wide array of known malware. We recommend Mac App Store Only apps for the SOHO user. Also, make sure you are running OS X EL Captain to ensure you are receiving the most recent software and security updates released by Apple.
1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
Gatekeeper: Apple recommends only downloading apps from the Mac App Store
Settings > General > Allow apps downloaded from:
Why the Hype?
Ransomware infections have become a serious problem for Windows users the last several years. This Mac ransomware reiterates what security researchers and what our consultants regularly have visibility to in our client's network environment. Bad actors are continuing to evolve in the techniques to infiltrate client environments for exfiltration of your sensitive data. With more and more IT environments utilizing Macs in the workplace, attacks will likely increase. The KeRanger ransomware targeted Macs using this particular open source software (Transmission BitTorrent client). It should enlighten and open Mac users eyes that these ransomware attacks are alive and well. They are no longer considered a Windows only type of malware attack.
Remember, there are no silver bullets to prevent these attacks; however, there are many things you can do everyday to protect your company, reputation, and minimize your risk. Stay vigilant and educate your users on these risks!
If you have fallen victim to a data breach, ransomware, or would like a review of your infrastructure, please contact us.
Sources: Wired.com | Palo Alto Networks | Apple