For the first ever, Mac users are being targeted by the infamous ‘ransomware’ viruses that seize hold of Apple computers and demand a cash payment, or ‘ransom’, in order to recover and unlock the files. You’ve no doubt heard of these ‘ransomware’ viruses for PC, and if you’re like me you probably know a handful of people who have actually been targeted by the vicious ransomware viruses (and consequently forced to pay out). Up until now Mac computers were thought to be impervious to the ransomware, however, computer security experts from Palo Alto Networks have announced that a ‘first of its kind’ ransomware virus is targeting Apple computers, and it’s forcing users to pay out $400 in order to unlock their computers or risk losing everything on the machine.
This ‘first of its kind’ ransomware virus is known as the “KeRanger”, and according to the Metro UK it first appeared just last Friday. Once the malware takes hold of your machine the KeRanger encrypts all of the files on your computer, demanding a ‘ransom’ of $400 (£280) in order to decrypt all of the files and safely recover your computer.
via Metro:
Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.
An Apple representative said the company had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. The representative declined to provide other details.
Before we get to more details on how to spot the ‘KeRanger’ malware and how to avoid it, one thing of note here is that while I’ve never personally been hit with ransomware and forced to pay out the ransom to decrypt my files there was a time when I thought I had. For the life of me I don’t remember what site I was on, because the second this happened I began to panic, but I had a pop-up had that wouldn’t allow me to close out of it and it appeared to be a ‘ransomware’ warning.
I was able to force quit the application (my browser) and close out of it, because it was just a shitty, shitty awful pop-up ad designed to look like ransomware. At the time though it was pretty unnerving. So you should know what to look for if and when your computer ever gets hit with a ransomeware virus.
Now, as for the ‘KeRanger’ ransomeware…Here’s what you need to know:
1.) It’s being spread across the internet via the ‘Transmission’ BitTorrent downloading application. So stay away from ‘Transmission’ for a while, and if you’re being extra careful you should stay away from BitTorrent for a few days entirely because you don’t know where that malware’s moved on to at this point.
2.) Palo Alto Networks has a handy guide on how to protect yourself from this nefarious ransomware, one that you should definitely read in full. However, If you don’t have time to read in full right now here’s a quick summary:
a) Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
b) Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
c) After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
According to Metro, an Apple representative said that over the weekend the company had revoked the digital certificate that enables the first of its kind ransomware to be installed on Mac computers, thus disabling future attacks, but they declined to provide any more information than that. So while this seems like it might be the end of the attack we really have no way of knowing if it’s over, furthermore since this is the first time a ransomware attack has infected Mac computers I think we should all be on high alert for attacks of this kind going forward.
For more information on the ‘KeRanger’ ransomware attack you can follow the links above on over to PaloAltoNetworks and/or Metro UK!