For The First Time Ever, Apple Mac Users Are Victims to Ransomware

Why a Search Engine for Kids Caused This Much Controversy
March 5, 2016
A Hacker’s Typo Which Stopped a Billion Dollar Bank Heist
March 12, 2016
Show all

For The First Time Ever, Apple Mac Users Are Victims to Ransomware


Tough luck to all Mac fans who have often sang praises for Apple being untarnished and digital infection-free as compared to their Android counter-parts. For the first time ever, Apple users have fallen prey to ransomware.

Ransomware is becoming one of the fastest-growing types of cyber threats. How ransomware works is through encrypting data on infected machines, and then typically proceeding to demand users to pay ransoms in hard-to-trace digital currencies in order to get an electronic key before they can unencrypt and retrieve their data.

This particular ransomware, dubbed “KeRanger” by the Palo Alto Networks researchers who discovered it, is said to be the first ever fully-functioning ransomware to attack Apple’s Mac computers. Typically, Apple’s Mac operating system (Mac OS X) has always been considered to be a secure system because it is more locked down than the myriad of devices running Windows operating systems. As Greg Day, the Palo Alto Networks’ chief security officer for Europe, the Middle East and Africa told the BBC, it is more difficult to write malware codes for Macs because there is less of it around, however cyber-criminals are working harder to target them now as these computers are being more commonly used.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom” said Palo Alto Threat Intelligence Director, Ryan Olson, in a telephone interview with Reuters.

While the KeRanger ransomware is believed to be the first live ransomware targeting Macs, it is not the very first time Mac-targeting ransomware has been detected by security experts. Back in 2014, Kaspersky Labs had discovered a new piece of ransomware malware targeting Apple users, although it was not completed at the time.


How the KeRanger ransomware came about

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network. The Palo Alto Networks researchers Claud Xiao and Jin Chen found the KeRanger ransomware hidden in the BitTorrent software this past Friday and has warned the Transmission team of the infection.

The Transmission site offers the open source software that was infected with the KeRanger ransomware. Transmission is one of the most popular Mac applications which is a program used to let people download and share BitTorrent files such as software, videos, music and other data through the BitTorrent peer-to-peer information sharing network.


Source: Palo Alto Networks

Hackers somehow injected the KeRanger malware into downloads and infected the computers with this malicious software through tainted copies of the Transmission program. Mac users who installed Transmission version 2.90 on their OS X from the official website between 4th and 5th March or some time just before the weekend are probably at risk of infection of the ransomware. The Palo Alto Networks security researchers noted on their blog that KeRanger is programmed to stay quiet for three days after infecting a computer.

From there, it then connects to the hacker’s server where it starts encrypting all files so that the files are almost impossible to be accessed without a decryption key. The hackers have reportedly demanded a ransom of 1 Bitcoin, or about $400, to unlock the infected computers.


Taking care of the issue

read immediately

Source: Transmission

On Sunday, the Transmission site has issued a warning to its users in a notice emblazoned in red to alert their users saying that version 2.90 of its Mac software had been infected with malware. Transmission has also responded by removing the malicious version of its software from their website, as well as released a version that its website said automatically removes the ransomware from infected Macs. Transmission users are advised to immediately upgrade to the new version 2.92 of the software if they suspect they might be infected, or to delete the malicious version.

Those who upgrade to the latest clean and ransomware-free version 2.92 of Transmission by Monday, 11am PT (7pm UTC) are believed to be able to effectively avoid having their files encrypted.

After being informed of the KeRanger malware, an Apple representative said the company had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. Fortunately, Forbes reports that only around 6,500 users were affected by the ransomware, thanks to Apple quickly revoking the certificate used to sign the file, as well as updating the XProtect (Apple’s anti-malware technology) definitions. The Apple representative has nevertheless declined to provide other details and Forbes stated that Apple had not responded to a request for comment.

However, according to the Palo Alto Networks blog post, “KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data”, so this may not be the last time we hear of ransomware attacks on Apple Macs just yet.



[1] Palo Alto Networks blog

[2] Transmission

[3] Forbes

[4] Daily Mail

[5] CNET

[6] BBC

[7] The Register


  1. Shadowtek says:

    This comes on the heels of the Linux Mint breach. It’s a whole new sad ballgame once official sources have to be distrusted.

    I thought I was being smart by doing daily backups, but I don’t guess it’s so smart after all if I leave that file system mounted where the files can be accessed by compromised programs. It seems that keeping them unmounted until needed is the only sane recourse considering the growing ransomware threat.

    And of course RAID is laughably irrelevant.

Leave a Reply

Your email address will not be published. Required fields are marked *