First Mac Ransomware Attack Reported7 Mar
Over the weekend the first reported case of ransomware on a Mac was released. Neovera partner Palo Alto Networks helped find and shut down the ransomware known as “KeRanger”, which was wrapped into a free Mac BitTorrent client known as Transmission. It wasn’t initially clear how KeRanger was uploaded but it appeared to affect anyone using or downloading version 2.90 of the client: “It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.” Apple and security research teams subsequently snuffed it out.
Historically, ransomware targets computers running Microsoft Windows mainly because Windows computers are more widely used – especially in a business setting where more and more ransomware attacks are occurring today. However, the quick action by Palo Alto Networks allowed Apple to curb the problem almost immediately, “We reported the issue to the Transmission Project and to Apple immediately after we identified it. Apple has since revoked the abused certificate, and Gatekeeper will now block the malicious installers. Apple has also updated XProtect signatures to cover the family, and the signature has been automatically updated to all Mac computers now. As of March 5, Transmission Project has removed the malicious installers from its website.”
How can you find out if you might have been exposed to KeRanger? If you’ve never used or downloaded Transmission you don’t have to worry; if you have, here are a few other options to sidestep this potentially devastating ransomware attack:
- Through your Terminal application, check if /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ exist – if they do, delete the Transmission program.
- Use your “Activity Monitor” to check if the “kernel_service” process is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/<username>/Library/kernel_service” – this is KeRanger’s main process and you should terminate it with “Quit -> Force Quit”.
- Users should also see if the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” exist in ~/Library directory. If they are present, delete them immediately.
Today, cyber attacks go after large networks that have more valuable data instead of a single person or a small number of users with invaluable data. A large organization that collects and stores a significant amount of valuable data may be more apt to comply because of the importance of their data and the fear of it being lost forever. Be prepared by keeping offline and cloud backups of your most important data so that a ransomware attack won’t have the same halting effect as it has had on so many other organizations.