Security researchers atPalo Alto Networks last week announced that they had found the first ransomware in the wild aimed at Macintosh computers, but Apple and one of its developers quickly neutered it.
The ransomware — a malware program that scrambles data on a computer and won’t unscramble it unless a ransom is paid — was embedded in software for installing an OS X app for sharing files on BitTorrent, a network known as a source for pirated content.
The malware, which Palo Alto Networks called “KeRanger,” contained a valid Mac application developer certificate stolen from a legitimate developer, so it was able to bypass OS X’s Gatekeeper protection. Gatekeeper is designed to block malicious programs from installing themselves on a Mac.
After uncovering the ransomware, Palo Alto alerted Apple and the developer of the sharing software, theTransmission Project. Transmission pulled the infected installer from its website, and Apple blacklisted the certificate so the malware couldn’t be installed on a Mac.
Although Kaspersky Lab spotted the makings of some Mac ransomware in 2014, “this is really the first functional ransomware for the Mac,” said Ryan Olson, threat intelligence director for Palo Alto’sUnit 42.
Three Days Too Long
Typically, ransomware launches itself immediately after infecting a machine, but KeRanger was built to sleep for three days before engaging in malicious behavior.
“The reason I think they did that was they wanted to prevent users from linking the downloading of Transmission to their systems being infected with malware,” Olson told the E-Commerce Times.
If a user who downloads Transmission and double-clicks the installer suddenly finds all files on the machine are encrypted and gets demand for a ransom, that user is going to make the connection to Transmission, let people know about it, and reduce malware’s spread time, he noted.
“People can do a lot of things with their computer in three days, so when their files get encrypted, they’re less likely to make that connection,” Olson said.
“In this case, it had a negative impact on them because in those three days, we identified the malware, Apple shut down the certificate, Transmission removed the installer from their website, and we were able to take a lot of actions to prevent this from being successful,” he added.
Even if the three-day strategy had bought the extortionists some more time, it’s doubtful the number of infections would have been significant, maintained Liviu Arsene, a senior threat analyst withBitdefender.
“The chances of having a large number of people downloading that particular installer in three days isn’t that high — maybe a couple of hundred victims at most,” he told the E-Commerce Times.
That kind of low infection rate is uncharacteristic for ransomware.
“If you’re trying to make money with ransomware, infecting one BitTorrent client on a website isn’t going to make you a millionaire tomorrow,” said Chet Wisniewski, a senior security adviser withSophos.
“If you look at the way Windows computers are getting infected, it’s hitting hundreds of thousands of people at a go. That’s how you make money,” he told the E-Commerce Times.
“Infecting one BitTorrent client on one website sounds to me more like a proof of concept than a trend,” Wisniewski added.
Indeed, there were signs that the malware was unfinished. For example, it contained code to scramble Time Machine backups for a Mac.
“We saw some code called ‘encrypt Time Machine,’ but it wasn’t functional,” Palo Alto’s Olson said.
While this particular ransomware was aimed at BitTorrent users, Mac users should remain wary, warned Steve Kelly, president ofIntego.
“The takeaway isn’t so much that this was limited to BitTorrent users,” he told the E-Commerce Times, “but that this sort of thing is possible and is likely to increase.”
As ransomware becomes a more popular way for extortionists to make a quick buck, its perpetrators have started expanding beyond its Windows roots.
“I think everybody should assume that the threat actors are going to make sure that they’re multiplatform supportive,” said Jeff Schilling, chief of operations atArmor.
“They definitely want their operations to be platform-agnostic,” he told the E-Commerce Times.
“We see ransomware in general being very popular with cybercriminals in 2016, and it is spreading from Windows to other platforms, such as Android and Linux,” said Stephen Cobb, a senior researcher atEset.
“There is no reason to think criminals are not exploring ways to scam Mac users as well,” he told the E-Commerce Times.