New Mac-Targeting Ransomware is a Real Bad Apple

March 21, 2016

b2ap3_thumbnail_iphone_ransomware_400.jpgRansomware has been spreading like wildfire over the past few years, but up until very recently, Mac users were spared from this troubling development. Now, security researchers at Palo Alto Networks have discovered what they believe to be the first instance of completed ransomware on an Apple device. As this threat is “in the wild,” Mac users should be wary of it and see it as a potential threat.

The ransomware in question, KeRanger, is believed to be the first completed ransomware to exist on the OS X operating system. In 2014, Kaspersky Labs discovered an incomplete form of ransomware for the Mac platform, but it didn’t pose an immediate threat. Now, however, KeRanger marks the beginning of more dangerous threats finally making their way to Apple’s operating systems.

To make matters worse, this ransomware is spread through a torrenting software called Transmission, which is designed to share files. Though torrenting software has a bad reputation for distributing pirated content, like copyrighted films, tv shows, music, and much more, it has plenty of legitimate uses, as well.

As explained by CNet:

If a user installed one of the infected versions of Transmission, an executable file embedded within the software would run on the system. At first, there’d be no sign of a problem. But after three days, KeRanger would connect with servers over the anonymous Tor network and begin encrypting certain files on the Mac’s system.

Researchers have concluded that KeRanger is still under development, and is seeking a way to also encrypt the victim’s backup data. In many cases, restoring a backup of your system’s data is the only way to remove ransomware. Thus, KeRanger is taking a significant step toward making it virtually impossible to recover your data without paying the ransom.

In response to the threat, Apple has revoked the security certificate that KeRanger takes advantage of, and has updated its XProtect antivirus software. Transmission has also removed the infected versions of its installer from its website. Still, those who already have unknowingly downloaded the Transmission installer between March 4th and 5th 2016 may be affected by KeRanger. If you want to know more about how to identify if you’re affected by KeRanger, you can review how to protect yourself on Palo Alto Networks’ site.

As is the case with most other ransomware, decrypting the files on your own is nearly impossible. This is how hackers make their money off of ransomware; they play to the fear that users won’t be getting their data back. This is the reason why we always advocate that you take preventative steps to lessen the chances of your data falling victim to ransomware. Implementing a solid security solution is a great way to do so, and you should generally avoid torrenting files in the office anyway; it’s especially important that your employees understand this, too.

In the case of ransomware, the most important thing to remember is that you need to prevent your systems from getting infected before anything else. Otherwise, you risk everything. To make sure your systems are properly protected, give CTN Solutions a call at (610) 828- 5500.

Contact CTN


610 Sentry Parkway

Suite 110

Blue Bell, Pennsylvania 19422

Call Us

(610) 828- 5500

3 + 10 =

Skip to content