Reactions to the KeRanger ransomware for Macs

+ Watch the recorded webinar: Inside a Docker Cryptojacking Exploit

Palo Alto researchers have discovered the first fully functional ransomware aimed at Mac users. The malware, dubbed KeRanger, has been found bundled into the Mac version of the open source Transmission BitTorrent client, and made available for download on the Transmission developers’ official website.

Here are some of the comments Help Net Security received.

Aviv Raff, CTO at Seculert

Aviv Raff, CTO at Seculert

The KeRanger ransomware for Macs demonstrates that ransomware is a growing trend. However, Mac shipments are less than 10 percent of the PC market, so the Mac platform is still a low yield target for cyber criminals.

The Mac platform is developed in a way that makes it easier for Apple to generate and deploy an OS fix than on PCs, by simply revoking a certificate. Unfortunately ransomware can be difficult to fix after the fact because you need to detect and stop it before it starts with the encryption process.

The best way to avoid a full-fledged ransomware attack is through early detection. Another way to protect your data is by having at least two backups active and in separate locations (e.g. in the cloud) at all times. That way if the hackers encrypt your laptop disk, you don’t need to worry or feel pressured to pay the ransom. You can just wipe the drive and restore from one of your backups.

Vann Abernethy, field CTO at NSFOCUS IB

Vann Abernethy, field CTO at NSFOCUS IB

As Apple computers and devices become more popular with corporate IT departments, there’s a recognition by attackers that valuable data and resources are available by targeting Mac users. These type of attacks will become increasingly common as the platform gains acceptance within the enterprise world, just as Microsoft Windows is targeted for similar reasons.

Mac users need to be educated on basic information security practices, just like Windows users have been over the past 10-15 years. Common security practices need to be adopted for Mac users, and information security operations professionals need to develop processes and awareness to manage this need.

Mac users also need to exercise caution when installing applications and application updates, make use of antivirus and anti-malware tools, as well as be diligent about application updates.

The Apple ecosystem is an attractive target for attackers, and users must be vigilant and aware of the risks.

Kudos to Apple for being proactive and quickly revoking the vendor digital certificate being used by the ransomware allowing it to be installed. By revoking the certificate, users must now consciously install software with an unknown or invalid certificate – something that is much rarer on Macs than on Windows devices.

David Kennerley, Senior Manager for Threat Research at Webroot

David Kennerley, Senior Manager for Threat Research at Webroot

Ransomware has been on the rise in recent months, with Lincolnshire County Council being hit by a £1m demand in late January. Given the potential gains for attackers, it’s no surprise that they are now diversifying and targeting OS X – a popular system with a large target base. Add to this the fact that many people believe they are safe from such malware when running OS X, this ransomware has the potential to impact a huge number of people.

The reason this criminal business model is so successful is that the cost of decrypting the files by paying the ransom is now seen as more cost effective than restoring from offline backups’– if they even exist. This is especially the case for organisations, where mission critical data has been encrypted, not just on the one machine but the entire network. This was highlighted recently when a hospital in Los Angeles paid the ransom demands, resulting in the fastest possible option for restoring normal operations.

Organisations need to be aware of this type of threat and take all necessary steps to protect their infrastructure and data by using threat intelligence and backup solutions. As with any attack, the threat actor will firstly attempt to target the weakest link in any security set-up. Nine times of out ten that’s the end user, so organisations need to invest in security education programs and initiatives, and reward those with good security practices.