Apple users were targeted by hackers over the weekend in a first of its kind attack campaign with Mac ransomware. Palo Alto Threat Intelligence Director Ryan Olson said that the “KeRanger” malware emerged on Friday and was the first functioning ransomware that affected Mac computers.
“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” the Reuters quoted Olson as saying.
According to Palo Alto, the hackers made use of a tainted copy of popular program known as the Transmission to infect Macs. The programme is used to transfer data through Bit Torrent file sharing network. It said in a blog post that, when Mac users downloaded the newest version of the programme, that is Transmission 2.90, which released on Friday, their computers got infected with the ransomware.
“Transmission is an open source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred,” Palo Alto said in the blog entry.
The ransomware could pass easily through Mac’s security system since it was, “signed with a valid Mac app development system,” which tricked the OS X operating system to think that it was a legitimate software.
The KeRanger waited for three days before carrying out the attacks. The malware then encrypted certain types of data files and documents on the system. After the completion of the process, the KeRanger demanded one Bitcoin, which is equivalent to US$400 (AU$539) according to the latest rate by CoinDesk, from the users.
The issue was reported to Apple on March 4 by Palo Alto, following which Apple has revoked the abused certificate and updated its anti-virus. The malicious software has also been removed from Transmission’s site.
“As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully-functional ransomware seen on the OS X platform,” Palo Alto wrote in a blog post, as quoted by CNBC.
A ransomware, which is increasingly posing as a cyber threat, encrypts the data on an infected machine and asks the user to pay a ransom, in exchange for a digital key which can be used to retrieve the stolen data. The ransom is asked in difficult-to-trace digital currencies.