Skip to main content

Update: Mac ransomware may have flaws that allow file recovery

keranger ransomware mac users macbook shot
Seth Schwiet/Unsplash
It’s not exactly a pleasant experience dealing with any sort of malware on your computer, but ransomware — which encrypts users’ files and essentially holds them hostage for payment — ratchets up the malevolence to a whole new level. While until now Windows users have been the primary targets of this type of malware, over the weekend, Mac users found out the hard way that they aren’t safe either.

Over the weekend, security firm Palo Alto Networks discovered that the installers for the torrent client Transmission had been infected with ransomware called KeRanger. Despite the discovery of another piece of ransomware called FileCoder by Kaspersky in 2014, this is the first actual functional ransomware discovered for the Mac.

Updated on 03-09-2016 by Jon Martindale: Added information about the discovery of a possible recovery technique.

Exactly how the Transmission installers were infected with KeRanger isn’t clear. “It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred,” Palo Alto Networks wrote.

Transmission is signed with a certificate from the developer, so OS X recognizes it as legitimate software, which is how the ransomware manages to infect a system. This certificate was quickly revoked over the weekend, effectively limiting the threat, MacWorld reports. For its part, Transmission is urging users to update to the latest version of the software.

If KeRanger does manage to infect a system, it lies dormant for three days before it strikes. At that point, the user’s files are encrypted, and the malware even attempts to encrypt TimeMachine backups, keeping the user from restoring from a backup. The ransomware then demands 1 bitcoin, roughly $400, to de-encrypt the files.

Should you find yourself infected though, don’t panic — there may be a way out without buying bitcoins first. According to anti-malware company, Bitdefender, the KeRanger ransomware is built upon the foundations of another: Linux.Encoder. While this might not mean much to most, it’s significant because Linux.Encoder is far from flawless.

Researchers at Bitdefender were previously able to create tools to decrypt files, without knowing the private key. Although there’s no guarantee, there’s a possibility that the same solution could be found for KeRanger too.

The prognosis is reasonably strong too, with PCWorld reporting that the KeRanger ransomware is almost identical to the fourth version of Linux.Encoder, which has been countered by BitDefender’s tools. Although no such tool yet exists for KeRanger, it seems likely that it will in the near future.

While ransomware has existed for quite some time, its usage has surged in recent years. One recent variant used the built-in text-to-speech engine in Windows to alert users that their files had been encrypted. And an even scarier incident happened last month, when a hospital was forced to pay $17,000 worth of bitcoin to attackers in order to restore its files.

This particular threat to Mac users may have been short-lived, but this likely won’t be the last time we see ransomware targeting the platform. For the time being, all users can do is try to maintain safe browsing habits, which is often easier said than done.

Editors' Recommendations