lolloj - Fotolia

Ransomware migrates to Apple Mac computers

Apple Mac users and security professionals must be more vigilant with the discovery of what is believed to be the first Mac OS X ransomware in the wild

Security researchers have uncovered what is believed to be the first active malware to encrypt Apple Mac computers and demand ransom to unlock them.

Mac computers tend to be regarded as relatively safe from attack, but the migration of so-called ransomware targeting the Microsoft Windows operating system to Apple’s Mac OS X is yet another indicator that things are changing.

Mac users need to be more vigilant and aware of the risks, while cyber security professionals need to equip themselves to identify and quickly respond to this new malware threat, especially in having a pragmatic approach in place for managing extortion-style threats, say security industry pundits.

“As Apple computers and devices become more popular with corporate IT departments, there's a recognition by attackers that valuable data and resources are available by targeting Mac users,” said Vann Abernethy, chief technology officer at security firm NSFOCUS IB.

“These types of attacks will become increasingly common as the platform gains acceptance within the enterprise world, just as Microsoft Windows is targeted for similar reasons,” he said.

Ransomware is currently one of the most popular ways for cyber criminals to extort money from individuals and organisations in the form of the unregulated bitcoin cryptocurrency.

According to the UK National Crime Agency, ransomware is one of the top international cyber threats, along with distributed denial of service (DDoS) attacks and bullet-proof hosting services.

The newly discovered KeRanger ransomware targeting Mac was discovered hidden in a version of the Transmission BitTorrent client by researchers from security firm Palo Alto Networks.

Read more about ransomware

  • Businesses are still getting caught by ransomware, despite the fact that there are fairly straightforward methods to avoid it.
  • Criminals use devices compromised for click fraud as the initial step in a chain of infections leading to ransomware attacks, warns security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard – but there is a defence strategy that works against it.

Developer certificate fools security

Like its Windows counterparts, KeRanger encrypts files on infected computers with a strong encryption algorithm and contains a payment process enabling the victim to purchase decryption for 1 bitcoin currently worth around £290.

A special feature of KeRanger is a three-day delay after infection, which researchers believe was aimed at getting as many users to download the infected version of the Transmission client before its hidden payload was revealed.

By hiding the ransomware in the Transmission client for downloading and sharing BitTorrent files, attackers were attempting to bypass Mac OS security because the Transmission software is signed with a valid developer certificate, causing the Mac operating system to consider it safe and allow installation.

Craig Young, security researcher at Tripwire said malware families like Genieo are prevalent on Mac OS X, demonstrating that the gatekeeper walled garden approach is not totally successful. 

“This technology which is designed to prevent users from running untrusted code is often times disabled and has been the subject of several bypass techniques over the years.  Malware authors have also demonstrated that they can get malicious code signed with trusted certificates as was the case with KeRanger. Services have even evolved to perform malware signing as a service for both OS X and iOS enterprise certificates,” he said.

Security education for Mac users

It is not clear how Keranger was hidden in the Transmission client, but Apple has revoked the certificate on the infected software (version 2.9) to prevent any further installations and Transmission's developers have released a new version (version 2.92), reports the BBC.

All users of the Transmission BitTorrent client on Apple Macs are urged to upgrade to the latest version as soon as possible.

The discovery of Keranger is a sign that Mac users need to be educated on basic information security practices, just like Windows users have been over the past 10 to15 years, said Abernethy.

“Common security practices need to be adopted for Mac users, and information security operations professionals need to develop processes and awareness to manage this need, and Mac users need to exercise caution when installing applications and application updates, make use of antivirus and anti-malware tools, as well as be diligent about application updates,” he said.

According to Matt Walmsley, European director at Vectra Networks, the trouble with corporate security for Macs is that they do not always integrate seamlessly due to differences in the OS, especially with traditional end point systems.

Where support is available, it’s often by a separate client that has to be downloaded, configured and monitored – all of which requires admin privileges and control, which may not always be viable in today’s bring your own device (BYOD) scenarios,” he said.  

Network traffic analysis

With Mac OS gaining workplace market share, Walmsley said a more comprehensive way of protecting Apple machines is using network traffic as the primary data source, rather than network endpoint clients, to identify in-progress cyber attacks.

“This way, all network connected devices are covered – whether they are owned, visiting, PC, Mac, Mobile, IoT or otherwise. Windows-based PCs will remain a key target for user-centric cyber attacks, but Macs and mobile devices will increasingly become targets for malware, ransomware and targeted attacks,” he said. 

Walmsley said that while ransomware infections can potentially cause debilitating attacks that can freeze critical business assets and intellectual property, there is no reason for data to be lost.

“Recent developments in advanced data science now mean that real-time analysis of network traffic can identify live cyber threats before they are able to organise and cause damage. Only by having such visibility within the enterprise network can organisations hope to avoid the potentially devastating effects of ransomware,” he said.

Kevin Epstein, vice-president, Threat Operations Centre at Proofpoint said, given that ransomware has proved to be financially extremely lucrative for cyber criminals, it was only a matter of time before any platform is attacked.

Update disaster recovery plans

“Regardless of what device or OS users are running, the challenge remains the same: research has shown people are the weakest link. Users should not download apps of questionable origin, they should not open email attachments or click on unexpected links in email or social media and, if impacted by malicious software, they should immediately consult an IT security professional,” he said.

Intermedia’s chief technology officer Jonathan Levine said CIOs do not always realise exactly how dependent their companies are on their networks.

“When one system is down, a business can usually limp along with alternate systems, but the risk of a ransomware attack is that everything that connects to the network – file systems, email systems, even phones – may have to be taken offline, and modern businesses simply can't function anymore with just pen and paper.

“It's clear that people responsible for corporate systems need to add ransomware to the scenarios contemplated in their disaster recovery plans. Mitigating this will require IT departments to make provisions for accessing critical business information quickly and reliably even after file servers and workstations have been compromised,” he said.

Read more on Hackers and cybercrime prevention