Apple users around the world have been rocked by news of an attack targeting Mac computers with ransom software (ransomware) designed to lock the affected computer until the victim pays money for its release.
Discovered by security researchers Palo Alto Networks and dubbed ‘KeRanger’, the virus is the first of its kind found on live systems.
After infection, the ransomware reportedly remains dormant on the computer for a period of three days before connecting to a home server, at which point it encrypts files and locks out the user, demanding a payment of one bitcoin (about $A540) to release the system back to its owner.
See what the ransom attack would look like:
Similar malicious software targeted at Apple’s Mac OS X has been discovered before, but the malware in question was not operational.
“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Palo Alto threat intelligence director Ryan Olson told Reuters.
The virus was discovered inside Transmission, a Bit Torrent app favoured by Mac users.
Bit Torrent is a digital transfer method that allows users to upload and download any digital file via the internet. It is used predominantly to illegally access copyright protected media, although there are also many legitimate uses.
To become infected a user need only to have downloaded and installed the Transmission file on their Mac computer. Three days later, encryption and lockout would result.
While these attacks have been commonplace for Windows PC users – everyone from police forces to hospitals and home users have been affected around the world – an attack such as this is almost unheard of in the world of Apple computers.
How did this happen?
Transmission is an open source project, meaning the source code for the program is freely available to the public to allow any computer programmer to help improve the program. A hacker with this source code could rewrite parts of the software to perform malicious actions.
But having access to the source code of a program is not enough; the hacker then needs to generate a legitimate ID for the software and hack the official Transmission website to replace the regular installer files with their own infected files.
This appears to be the case with KeRanger, as the hacker was able to bypass Apple’s Gatekeeper software, which examines a newly downloaded program to ensure it carries an ID code from a registered Apple software developer.
Once Gatekeeper gives its tick of approval, the new software is installed and active, free to perform any function it is programmed to do.
Apple has since revoked the certificate attached to the offending version of the Transmission installer, which will no longer pass Gatekeeper’s watchful gaze.
Transmission has also released an update of its program. Current users are strongly encouraged to download the latest version of the app to protect themselves.
Instructions on how to examine your system files can also be found here.
Possibly just the beginning
The wider implications of this ransomware are disturbing – this attack is proof of concept.
For years now, Mac users have enjoyed an enviable position, with the majority of computer viruses and malware directed at Windows users and, recently, mobile operating systems, like Android and iOS.
The live release of KeRanger indicates hackers have a tested delivery method to infect any Mac operating system, without being detected by the software’s built-in security measures. Next time there may not be a three-day waiting period.
More worryingly, there are indicators this is only the beginning.
The Palo Alto spokesman said the KeRanger ransomware is still “under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data”.
Of course, Mac users who do not use Transmission will remain unaffected, for now.
However, considering hacking groups have the resources to hack large software companies, it may be only a matter of time before we see wide-scale attacks initiated from inside formerly legitimate programs.