Skip to main content

Update: Mac ransomware may have flaws that allow file recovery

keranger ransomware mac users macbook shot
Seth Schwiet/Unsplash
It’s not exactly a pleasant experience dealing with any sort of malware on your computer, but ransomware — which encrypts users’ files and essentially holds them hostage for payment — ratchets up the malevolence to a whole new level. While until now Windows users have been the primary targets of this type of malware, over the weekend, Mac users found out the hard way that they aren’t safe either.

Over the weekend, security firm Palo Alto Networks discovered that the installers for the torrent client Transmission had been infected with ransomware called KeRanger. Despite the discovery of another piece of ransomware called FileCoder by Kaspersky in 2014, this is the first actual functional ransomware discovered for the Mac.

Recommended Videos

Updated on 03-09-2016 by Jon Martindale: Added information about the discovery of a possible recovery technique.

Please enable Javascript to view this content

Exactly how the Transmission installers were infected with KeRanger isn’t clear. “It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred,” Palo Alto Networks wrote.

Transmission is signed with a certificate from the developer, so OS X recognizes it as legitimate software, which is how the ransomware manages to infect a system. This certificate was quickly revoked over the weekend, effectively limiting the threat, MacWorld reports. For its part, Transmission is urging users to update to the latest version of the software.

If KeRanger does manage to infect a system, it lies dormant for three days before it strikes. At that point, the user’s files are encrypted, and the malware even attempts to encrypt TimeMachine backups, keeping the user from restoring from a backup. The ransomware then demands 1 bitcoin, roughly $400, to de-encrypt the files.

Should you find yourself infected though, don’t panic — there may be a way out without buying bitcoins first. According to anti-malware company, Bitdefender, the KeRanger ransomware is built upon the foundations of another: Linux.Encoder. While this might not mean much to most, it’s significant because Linux.Encoder is far from flawless.

Researchers at Bitdefender were previously able to create tools to decrypt files, without knowing the private key. Although there’s no guarantee, there’s a possibility that the same solution could be found for KeRanger too.

The prognosis is reasonably strong too, with PCWorld reporting that the KeRanger ransomware is almost identical to the fourth version of Linux.Encoder, which has been countered by BitDefender’s tools. Although no such tool yet exists for KeRanger, it seems likely that it will in the near future.

While ransomware has existed for quite some time, its usage has surged in recent years. One recent variant used the built-in text-to-speech engine in Windows to alert users that their files had been encrypted. And an even scarier incident happened last month, when a hospital was forced to pay $17,000 worth of bitcoin to attackers in order to restore its files.

This particular threat to Mac users may have been short-lived, but this likely won’t be the last time we see ransomware targeting the platform. For the time being, all users can do is try to maintain safe browsing habits, which is often easier said than done.

Kris Wouk
Former Digital Trends Contributor
Kris Wouk is a tech writer, gadget reviewer, blogger, and whatever it's called when someone makes videos for the web. In his…
Massive M4 MacBook Pro leaks have been ‘confirmed’ to be true
Russian YouTuber Romancev768 with what is claimed to be a real M4 MacBook Pro unit.

Over the last few weeks, we’ve seen a spate of leaks showing off what are alleged to be the upcoming M4 MacBook Pro. From photos of retail boxes to full-blown unboxing videos, the internet has been awash with the next MacBook Pro, despite the fact that Apple hasn’t even announced it yet.

Despite the constant media attention, there have been consistent doubts about the leaks -- for some, they just had a few too many question marks to be trusted. Yet Bloomberg reporter Mark Gurman has just dropped a bombshell by throwing his weight behind the leaks, writing in his latest Power On newsletter: “I can confirm that these are indeed Apple’s upcoming M4 MacBook Pros.” Gurman is one of the most accurate and consistent Apple leakers in the business and claims to have sources deep inside the company. So, when he says something is genuine, there’s a good chance he’s right.

Read more
I found an app that fixes macOS Sequoia’s annoying pop-ups
macOS Sequoia being introduced by Apple's Craig Federighi at the Worldwide Developers Conference (WWDC) 2024.

Years ago, back when I used Windows Vista, I got so annoyed by the constant User Account Control (UAC) pop-ups asking for permission seemingly every time I did anything that I downloaded an app that could silence them for good. Perhaps not the most sensible thing to do from a security perspective -- OK, definitely not the most sensible thing to do -- but I was a desperate man. These days, I’m getting similar vibes from macOS Sequoia.

That’s because Apple’s latest operating system will nag you about permissions on a monthly basis for anything that records your screen. Granted, it’s not as frequent as what I’d get in Windows Vista -- and these prompts were actually weekly in the macOS Sequoia beta, which caused such a blowback from users that Apple changed the frequency -- but it still feels like it’s going to be a real pain for me and a lot of users. Sure, macOS Sequoia hasn’t actually been out long enough for me to be bugged by these alerts every month yet, but I don’t want to hang around until I start pulling my hair out. I need to take action now.

Read more
Two of the best Apple Intelligence features on Mac still need work
Apple Intelligence in macOS Sequoia being used to summarize a selection of text.

Recently, Apple launched the macOS Sequoia 15.1 beta, and with it came a bunch of new Apple Intelligence features. Not everything, mind you – many of the flagship tools, like the Image Playground and Siri’s more powerful capabilities, might not debut until next year. But there’s enough Apple Intelligence here to get a feel for the new system.

Ever since the beta came out, there have been two areas of Apple Intelligence I’ve wanted to focus my attention on: Mail summaries and Apple’s suite of Writing Tools. These are some of the most fleshed-out Apple Intelligence elements that exist in macOS Sequoia right now, and also potentially two of the most useful, so it made sense to channel my efforts toward them.

Read more