Hack Brief: Ransomware Strikes Apple’s OS X for the First Time
While ransomware has been a growing cause for concern—including one recent high-profile incident at a Hollywood hospital—until now Apple devices hadn’t had the distinction of being vulnerable. That changes with KeRanger, an application poised to shake down a large number of Mac owners in the coming days.
According to researchers Claud Xiao and Jin Chen, who first reported the existence of KeRanger, the ransomware infected the Transmission BitTorrent client installer for OS X for the first time on March 4. While they’re not sure how Transmission became infected, the two note that it’s an open source project. “It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred,” they wrote in a post outlining their discovery.
More troublingly, KeRanger was signed with a valid certificate, meaning it snuck through Apple’s built-in safeguards. It’s unclear how that happened, as well, though F-Secure security expert Mikko Hyppönen suspects it was simply a stolen code-signing certificate.
“This arrives to you from the official download site of an official application vender. It was signed with a valid developer certificate,” says Hyppönen. “It’s a ransom trojan. It wants to gain access to your files, the user’s files, not root access.”
It doesn’t need root access, because it’s not trying to take over your computer; rather, it’s looking for the kinds of files that you care about most—the photographs, the spreadsheets, the invoices—so it can then attempt to sell them back to you. Once installed, KeRanger lays dormant for three days, then starts to encrypt documents and files on your system. Specifically, it looks for 300 different extensions, ranging from .doc to .mp3 to .jpg to .txt.
Victims can regain access to their machines for one bitcoin, which equals a little over $400. The researchers also note that KeRanger is “under active development,” and that the next step in its evolution may be to encrypt Time Machine files, so that if you’re infected you can’t simply call in their backups.
Anyone who downloaded one of two installers of Transmission version 2.90, between the hours of 11 a.m. PST on March 4 and 7 p.m. PST on March 5, is potentially affected. It’s not clear currently how many people that is, but if you downloaded that BitTorrent client recently, you should be aware of what’s coming.
Fortunately, there’s a way to project yourself, according to Xiao and Chen. From their report:
1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
Also, as Apple has revoked the certificate in question, your system should warn you, if you attempt to open Transmission, that it may do harm. If so, trash the application.
How Serious Is This?
If you’re affected, it’s serious to the tune of $400. The 72-hour clock expires starting this afternoon and runs through tomorrow night, so all affected people should know by Wednesday morning what kind of trouble they’re in.
The bigger concern, says Hyppönen, is that Macs are officially drawing serious attention from bad actors. Many Apple enthusiasts may assume that their devices have superior virus protection. In truth, Macs simply haven’t historically been a popular target because of their small market share. Likewise, most malware practitioners don’t have a core competence in Macs, because they’ve invested so much time and energy attacking Windows machines.
“It’s not just a question about market share,” says Hyppönen. “It’s also a question of existing know-how. Most of the ransom code gangs have all their existing know-how on Windows platforms, so for them to start targeting any other platform, whether it’s Android or OS X, is an investment from them. They’re not likely to do that for as long as they have enough easy targets on a Windows platform.”
In the case of KeRanger, it could be that one gang grew tired of competing with several others over the same Windows devices, and opted for clearer pastures. “Right now there is no competition on ransom trojans on Mac,” says Hyppönen.
If KeRanger turns out to be a successful haul, that could change quickly. And even if it’s not, the growing size of the OS X install base may make increased attacks inevitable. According to the most recent figures from IDC, Apple accounted for 7.9 percent of all personal computers last quarter, and increased shipments by 2.8 percent year over year. That may not sound like a huge jump, but consider that the industry as a whole was down over 10 percent.
So yes, it’s a big deal that OS X has its first ransomware. The bigger issue, though, is that it’s going to be far from the last.