KeRanger brings ransomware to the Mac

Posted by Mike Vizard on Mar 8, 2016 9:44:20 AM

KeRanger_malware.jpgNot too long ago one of the benefits of using a Macintosh for work was that there wasn’t enough of these systems in place to make it worthwhile for hackers to target them. Fast forward to today, and the growing popularity of Apple's Mac computers has now made them a much more lucrative target. Case in point is a new piece of ransomware that specifically targets Macs.

Like other pieces of ransomware, KeRanger malware counts on social engineering techniques to trick end users into clicking on an attachment that installs malware on their system. This malware gives the hacker the ability to encrypt all that data on that machine, and the only way to get that data back is to pay the hacker for the keys needed to decrypt that data.

How KeRanger works

KeRanger can encrypt more than 300 file extensions, including documents, photos, videos, archives, etc. When a file is encrypted, its file extension changes to .encrypted, and the malware creates a text file demanding a ransom of one Bitcoin, which is about $400. Of course, the hacker controls the server generating the message, which mean they can, for example, change the amount of ransom being demanded at will.

Cybersecurity quiz for MSPs

The good news for IT service providers that have to combat this threat is that Apple has already revoked the misused certificate to prevent users from opening the infected installer even if it is downloaded from a third-party location. In addition, there are anti-malware offerings capable of detecting KeRanger. The bad news is that by the time a KeRanger infection is detected the ransomware may have already to started to encrypt data.

But for the moment at least, estimates suggest that only about 7,000 Apple machines have been infected by KeRanger. The infection was spread through downloads of Transmission, a popular open source torrent software, and the Transmission site now carries a warning advising users to upgrade to a new version immediately because version 2.90 of it's software may have included a malware-infected file. 

The Year of Ransomware

This was the first functional ransomware targeting OS X systems, but more of these types of attacks are certainly on their way. The Institute for Critical Infrastructure Technology (ICIT) released a report this week that says 2016 may very well be remembered as the year ransomware wreaked havoc.

Ransom is often determined by what the victim can afford to pay. The ICIT reports that the average ransom, as of 2015, is around $300. That number is often chosen because it represents less than half the price of a new laptop or mobile device. Of course, when ransomware gets spread across an entire organization, the amount of ransom demanded starts to climb.

As for the criminals involved, ICIT notes that ransomware can be acquired by almost anybody for about $2,000 on the dark web. Creating a phishing page and setting up a mass spam email costs an additional $150, according to ICIT.

ICIT says perpetrators of these schemes have more in common with highwaymen of old than modern hackers. Hackers are looking to steal data, but all a purveyor of ransomware wants to do is prevent an organization from conducting its normal business. While that subtlety may be lost on the average victim, that lack of attempt to steal something makes it harder to track down the individuals distributing ransomware, especially when they demand to be paid using digital currencies such as Bitcoin.

An important lesson for Mac users

In the meantime, Mac users need to come to terms with the fact that there is no hiding anymore from malware. The Macintosh might still be more secure than Windows or some other platform, but regardless of the platform running, every IT service provider knows there’s usually little to no defense against malware than an end user deliberately loads onto their system.

MSP cyber security

Topics: Malware

The MSP's Complete Guide to Cyber Security
Fixed Price Data Protection
MSP Marketing Assessment
Intronis demo lunch