An Apple a Day to Keep Ransomware Away?
Mac OS X is safer than Windows, but not invulnerable to attack.
This past Saturday, I spoke at a continuing legal education seminar about some of the ramifications of the Internet on the modern practice of law. In that talk, I discussed the growing trend of cryptolocker-type malware. It turns out that particular topic was quite timely, as the first instance of Mac-based cryptolocker malware, dubbed KeRanger, just made its way into the wild.
Cryptolocker is a generic name for a new class of malware (sometimes called “ransomware”) that uses encryption to extort its victims. As with others, this malware makes its way into your computer surreptitiously, often through an infected email attachment. In the case of KeRanger, hackers compromised a popular Mac BitTorrent client, Transmission, and inserted the malware into its installer. (The means by which this was accomplished are still unknown to Transmission’s developers.) So if you downloaded and installed Transmission during a specific period of vulnerability, your Mac became infected.
KeRanger, like most cryptolocker variants, installs itself, waits awhile (in this case, three days), then begins encrypting your personal files. It looks for certain document types, like Word documents and pictures, and locks them behind strong encryption. You then get a lovely message like this one:
It tells you that if you want your files back, you need to send one Bitcoin to the hackers. Bitcoin (BTC) is an untraceable form of digital currency; one BTC is worth $414.80 US at the moment I write this.
The encryption these hackers use is so strong that it would take longer to crack it than the age of the universe. So realistically, when your computer is infected with cryptolocker, you have three options: (1) pay the ransom and hope you get your files back, (2) don’t pay it, and retrieve a recent backup of your files, or (3) lose virtually everything on your computer. Since most people wouldn’t consider option three a real choice, and are typically not attentive enough to backups to rely on option two, they end up out $400 as a result of this scam.
It has been pretty well accepted by technology experts for years now that Macs are safer than Windows PCs. Or, at a minimum, that they are less prone to attack. This is a function of various design decisions by Apple and Microsoft, coupled with the fact that hackers typically look to cast the widest possible net (leading them to Windows, which still has a > 90% market share). KeRanger represents the first time a cryptolocker variant has made it to OS X, and this incident will undoubtedly bruise Apple’s public image.
If you recently downloaded Transmission from its website, you need to update it immediately. You should have received a prompt urging you to do so, as follows:
Don’t ignore this message, and follow its instructions carefully (since you only have around three days before the malware locks your files). After updating, consider installing Malwarebytes for Mac and running a scan every so often. I’m also a fan of Little Snitch, a security app that runs in the background and monitors and gates all network activity. Although I haven’t seen confirmation, I suspect that Little Snitch would have prevented KeRanger from working, since it would have blocked the outgoing connection KeRanger makes with its command and control servers.
The lesson here is simple: no one who uses a computer is safe from the threat of malware. If you use Mac OS X, you are less susceptible to these kinds of attacks, but you should still be conscious of basic digital security procedures. Don’t click on links in emails, use a password manager, encrypt mobile devices, enable automated backups, etc.
After all, that’s an awfully nice computer you have there. It’d be a real shame if something were to happen to it…
