Leah Zitter

Leah Zitter

Ransomware Hacks Apple for the First Time

Bitcoin Magazine | March 10th, 2016 | Visit the original article online

Apple has lost its distinction of being immune to ransome malwarebytes.

For decades, Apple has been applauded as a system that rebuffs viruses. Monday 7 March, Palo Alto Networks reported that a so-called KeRanger malware, which appeared over the weekend, had embedded itself into a BitTorrent. At the same time, the Palo Alto researchers told concerned Apple users that they need not worry. Apple had revoked the digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs in order to hold files for ransom. Apple advised users how to identify and remove KeRanger. Representatives told Reuters that the threat had been defused.

The bigger issue, though, is whether this intrusion will be the last.

Window users have long been accustomed to ransomware. Hackers shake down computer systems by encrypting data on infected machines before asking users for bitcoins so that users can retrieve their kidnapped data.

Reuters reports that security experts estimate that cybercriminals rake in thousands of dollars a year over such kidnapping feats. KeRanger was the first functioning ransomware that attacked Apple's Mac computers.

According to researchers Claud Xiao and Jin Chen who reported the intrusion, KeRanger infected the Transmission BitTorrent client installer for OS X just a few hours after installers were initially posted. More troublingly, the researchers admitted that they “[could not] confirm how this infection occurred.”

F-Secure security expert Mikko Hyppönen suspects that the whole may have been a stolen code-signing certificate.

“The KeRanger application was signed with a valid Mac app development certificate,” explain Xiao and Chen, “therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network.”

The malware’s not going to crash your computer. Rather, it’s ferreting for your most valued documents and data so it can sell them back to you. Lest victims try to recover their backup files, Xiao and Chen added that “KeRanger appears to still be under active development and … is also attempting to encrypt Time Machine backup files.”

Apple responded by revoking the abused certificate and by updating its XProtect antivirus signature. Transmission removed the malware from its website and on Sunday released a new version that, it said, said automatically cleans infected Macs.

How easy would it be to infiltrate Apple Macs in the future?

The Bitcoin news service, NewsBTC, tells Mac Users that “this ransomware attack is a very small risk for most Macintosh users right now, as those who did not download Transmission around that time — or not at all — should be safe from harm.” It also emphasizes that, “This is entirely different from Bitcoin ransomware threats against Windows users, which are more widespread through infected email attachments and third party websites.”

Ransomware schemes have been around for more than a decade but have recently spiked in intensity and ambition. PC World notes that cyberware attackers are now targeting companies and organizations in the hopes of receiving more money.

Four months ago, security researcher Rafael Salema Marques showed how he coded ransomware for Mac in less than a week.

More recently, OS X security expert Pedro Vilaca posted code on GitHub for a Mac-targeted malware he had created in order to show how simple it was to crash the system.

Apple has taken the necessary steps to ensure that its computers reject KeRanger. It now has to turn its attention to ensuring that KeRanger is not superseded by mightier and more resilient followers.