New ransomware targets Apple Mac computers for 1st time

For the first time, Mac users are being attacked with a type of malicious software called ransomware. Now more details about its spread are coming to light.

KeRanger malware infected popular Transmission software during a cyberattack on software's developer

A customer uses an iPhone and a Macbook computer at the Genius Bar in the Apple Store at Grand Central Station. Palo Alto Threat Intelligence Director Ryan Olson said the "KeRanger" malware, which appeared on Friday, was the first functioning ransomware attacking Apple's Mac computers. (Brendan McDermid/Reuters)

The first known ransomware attack on Apple Inc's Mac computers, which was discovered over the weekend, was downloaded more than 6,000 times before the threat was contained, according to a developer whose product was 
tainted with the malicious software.

Hackers infected Macs with the "KeRangerransomware through a tainted copy of Transmission, a popular program for 
transferring data through the BitTorrent peer-to-peer file sharing network.

So-called ransomware is a type of malicious software that restricts access to a computer system in some way and demands the user pay a ransom to the malware operators to remove the restriction.

KeRanger, which locks data on Macs so users cannot access it, was downloaded about 6,500 times before Apple and developers were able to thwart the threat, said John Clay, a representative for the open-source Transmission project.

That is small compared to the number of ransomware attacks on computers running Microsoft Corp's Windows operating system. Cyber security firm Symantec Corp observed some 8.8 million attacks in 2014 alone.

More Mac attacks expected

Still, cyber security experts said they expect to see more attacks on Macs as the KeRanger hackers and other groups look for new ways to infect Mac computers. "It's a small number but these things always start small and ramp up huge," said FidelisCybersecurity threat systems manager John Bambenek. "There's a lot of Mac users out there and a lot of money to be made."

 Symantec, which sells anti-virus software for Macs, warned on its blog that "Mac users should not be complacent." The post offered tips on protecting against ransomware.

Apple CEO Tim Cook looks at a new iMac after a presentation in 2014. An Apple representative said the company had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. (Robert Galbraith/Reuters)

The Transmission project provided few details about how the attack was launched.

"The normal disk image (was) replaced by the compromised one" after the project's main server was hacked, said Clay.

He added that "security on the server has since been "increased" and that the group was in "frequent contact" with 
Apple as well as Palo Alto Networks, which discovered the ransomware on Friday and immediately notified Apple and 
Transmission.

An Apple representative said the company quickly took steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs.

Transmission responded by removing the malicious 2.90 version of its software from its website 
(www.transmissionbt.com). On Sunday, it released version 2.92, which its website says automatically removes the ransomware from infected Macs.
 
Forbes earlier reported on the number of KeRanger downloads, citing Clay.  

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.