Mac users targeted in first known OS X ransomware scam

“Apple Inc customers were targeted by hackers over the weekend in the first campaign against Macintosh computers using a pernicious type of software known as ransomware, researchers with Palo Alto Networks Inc told Reuters on Sunday,” Jim Finkle reports for Reuters. “Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data. Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft Corp’s Windows operating system.”

“Palo Alto Threat Intelligence Director Ryan Olson said the ‘KeRanger’ malware, which appeared on Friday, was the first functioning ransomware attacking Apple’s Mac computers,” Finkle reports. “An Apple representative said the company had taken steps over the weekend to prevent attacks by revoking a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs.”

“The Transmission site offers the open source software that was infected with the ransomware,” Finkle reports. “Transmission is one of the most popular Mac applications used to download software, videos, music and other data through the BitTorrent peer-to-peer information sharing network… The project’s website on Sunday carried a warning saying that version 2.90 of its Mac software had been infected with malware. It advised users to immediately upgrade to version 2.91 of the software, which was available on its website, or delete the malicious one. It also provided technical information on how users could check to see if they were affected.”

Read more in the full article here.

MacDailyNews Note: Transmission’s website (https://www.transmissionbt.com) states:

Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the “OSX.KeRanger.A” ransomware (more information available here) is correctly removed from your computer.

Users of 2.91 should also immediately upgrade to and run 2.92. Even though 2.91 was never infected, it did not automatically remove the malware-infected file.

[Thanks to MacDailyNews Readers “George” and “Road Warrior” for the heads up.]

26 Comments

      1. I like giving my three year old my fine china, to carry to the table, that is, being extra careful. I am not being disrespectful, however in digital warfare, anything is possible, the likes of power grids going down, the OPM breach. I am simply skeptical, regrading the safety of our software.

        We must be vigilant. Thanks to Apple for being so quick in revoking Transmissions key.

    1. I’ve read (on heise.de, German) that the encryption starts only after 3 days. According to that, since this time hasn’t passed yet after the 8 hours window when the infected version was online, noone should be affected yet. And since the certificate has been withdrawn, noone should be in future. At least there’s hope.

  1. I have a few questions:

    1. What data got encrypted by this ransomware?
    2. Did it require a user to enter their password for it to begin the encryption?
    3. Couldn’t a user just use Time Machine to get back most, if not all, of their data before it got encrypted?

        1. Good morning
          every installer requires either a password or login as administrator
          Do not login as administrator when you are using your computer so that you are constantly reminded to use a password so you know when software is installed at root level
          Good day
          E

        2. If dragging the app from the dmg to the application folder doesn’t count as install, then
          when the app opened for the first time, it writes some local data such as user preferences, path and directories, etc.
          That counts as installer.

            1. Agreed. People don’t understand that there are three methods to getting an app on a Mac.

              1) Download an app in a dmg or zip file (or raw). Then drag it to the Applications folder. This is not an install by any stretch. Unless, when you run it, it asks for your admin password to do “something else,” no installer process was run.

              2) Download from the App store. This, too, is not an install. It literally downloads to the Applications folder.

              3) Run an installer, such as for Office, Adobe, VirtualBox, just to name a few. The installer explicitly requires administrative rights to do anything and, thus, asks for a password. THIS is an install. It has admin privileges to hose the system.

              Everyone keeps saying “installer,” but this does not use an installer, from what I can tell. It’s also why version 2.92 can remove the malware, ALSO without admin rights.

            2. Awww, did I hurt a Windows’ user’s feelings? Only Windows users and Windows experts believe Mac apps are regularly installed. You show your Mac ignorance. You’re the same fools who think Mac has a registry and tell people to look at their C drives. You have zero clue what you’re talking about.

        3. And installer that you need to download and run?

          None, if you got Transmission from the Mac App store.

          If you got Transmission from the developer’s website, on the other hand… And that’s the one that was infected.

    1. They can use Time Machine to restore, provided that the Time Machine backup drive wasn’t connected when the malware did the encryption. When I do my Time Machine backups, I do them to an external drive I eject after the backup.

      ——RM

  2. The malware was probably created by musicians trying to get some payment for their music that’s being stolen by torrent sites and software. 😉

    1. When people use Transmission, they are generally using it for torrents and guess what? Torrent sites are largely for stealing other people’s intellectual property. Just look at the proportion of illegal downloads to those that are perfectly legit.

      Thieves get what’s coming to them.

  3. *This* is why I back up critical files manually to a separate HD that I keep powered down when not in use so it cannot be accessed by nefarious means. I place a reminder in iCal to do it once a month. It has saved my bacon once before when my Time Capsule died and took my TIme Machine back-ups with it.

  4. The horror of unprotected ransomware attacks aside, I couldn’t help thinking of the attackers’ business model today. It’s a UI disaster!

    Most users struck by ransomware will never pay the ransom because a) it’s a difficult process for ordinary users, b) the ransom is too expensive for c) a reasonable expectation that the decryption promise will be honoured.

    Therefore, wouldn’t a ransomware vendor make much more money by demanding smaller amounts, say $20, which a user may be willing to waste in case it works? And wouldn’t it be in their interest to craft a nice GUI that walks the user through the process of setting up their currency in Bitcoin and dispatching it?

    You might be getting shafted, but at least the ransomware is easy to use and Just Works.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.