Skip to main content

Update: Mac ransomware may have flaws that allow file recovery

keranger ransomware mac users macbook shot
Seth Schwiet/Unsplash
It’s not exactly a pleasant experience dealing with any sort of malware on your computer, but ransomware — which encrypts users’ files and essentially holds them hostage for payment — ratchets up the malevolence to a whole new level. While until now Windows users have been the primary targets of this type of malware, over the weekend, Mac users found out the hard way that they aren’t safe either.

Over the weekend, security firm Palo Alto Networks discovered that the installers for the torrent client Transmission had been infected with ransomware called KeRanger. Despite the discovery of another piece of ransomware called FileCoder by Kaspersky in 2014, this is the first actual functional ransomware discovered for the Mac.

Updated on 03-09-2016 by Jon Martindale: Added information about the discovery of a possible recovery technique.

Exactly how the Transmission installers were infected with KeRanger isn’t clear. “It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred,” Palo Alto Networks wrote.

Transmission is signed with a certificate from the developer, so OS X recognizes it as legitimate software, which is how the ransomware manages to infect a system. This certificate was quickly revoked over the weekend, effectively limiting the threat, MacWorld reports. For its part, Transmission is urging users to update to the latest version of the software.

If KeRanger does manage to infect a system, it lies dormant for three days before it strikes. At that point, the user’s files are encrypted, and the malware even attempts to encrypt TimeMachine backups, keeping the user from restoring from a backup. The ransomware then demands 1 bitcoin, roughly $400, to de-encrypt the files.

Should you find yourself infected though, don’t panic — there may be a way out without buying bitcoins first. According to anti-malware company, Bitdefender, the KeRanger ransomware is built upon the foundations of another: Linux.Encoder. While this might not mean much to most, it’s significant because Linux.Encoder is far from flawless.

Researchers at Bitdefender were previously able to create tools to decrypt files, without knowing the private key. Although there’s no guarantee, there’s a possibility that the same solution could be found for KeRanger too.

The prognosis is reasonably strong too, with PCWorld reporting that the KeRanger ransomware is almost identical to the fourth version of Linux.Encoder, which has been countered by BitDefender’s tools. Although no such tool yet exists for KeRanger, it seems likely that it will in the near future.

While ransomware has existed for quite some time, its usage has surged in recent years. One recent variant used the built-in text-to-speech engine in Windows to alert users that their files had been encrypted. And an even scarier incident happened last month, when a hospital was forced to pay $17,000 worth of bitcoin to attackers in order to restore its files.

This particular threat to Mac users may have been short-lived, but this likely won’t be the last time we see ransomware targeting the platform. For the time being, all users can do is try to maintain safe browsing habits, which is often easier said than done.

Editors' Recommendations

Kris Wouk
Former Digital Trends Contributor
Kris Wouk is a tech writer, gadget reviewer, blogger, and whatever it's called when someone makes videos for the web. In his…
Don’t download the latest macOS Ventura update just yet
The 14-inch MacBook Pro with M3 Max chip seen from behind.

We have a warning if your MacBook or other Mac machine is still running macOS Ventura. The latest macOS Ventura 13.6.6 update is bringing a lot of big bugs, and it is affecting the way that people are using their favorite Apple products, so you might want to hold off on downloading the update.

Originally released back on March 25, this problematic update came at the same time as macOS Sonoma 14.4.1, which patched issues with Java, USB hubs, and more. Unfortunately, though, macOS Ventura 13.6.6 is introducing some new issues of its own. Spotted by the folks at GottaBeMobile, Mac users have taken to Apple's support forums to complain of everyday issues linked to this release that are breaking their Macs.

Read more
How to take a screenshot on a Mac
The keyboard and trackpad of the MacBook Pro 14-inch.

For most new Mac users -- especially if they're coming from Windows -- one of the first questions they need to ask is how to take a screenshot on a Mac? There's no dedicated Print Screen key like there is on Windows, but there is keyboard shortcut, and if you want something more akin to Microsoft's Windows Snipping tool, there are some great screenshot apps you can use, too.

Here's how to take a screenshot on a Mac in a few different ways.
How to take a screenshot using keyboard shortcuts
MacOS keyboard shortcuts are the quickest ways to take screenshots, whether you're capturing the entire screen or just a portion. By default, Apple's methods save your screenshot to the desktop, but if you want to copy the screenshot to the clipboard, there's a keyboard shortcut you can use instead.
How to capture a selected area

Read more
I was wrong about using Stage Manager on Mac
Stage manager in macOS Ventura.

Stage Manager is one of those software features that has had a rather bumpy road since Apple launched it in 2022. The unique multitasking feature has landed itself in a heap of criticism over its short lifespan.

I, however, was not one of these critics. I was super excited by Stage Manager and the promise it contained. It was something new and shiny, here to shake up macOS in a fresh and different way. Even after using it myself, I foresaw it fundamentally changing the way I used my Mac.

Read more