​Apple users, beware: First live ransomware targeting Macs found 'in the wild'

Researchers discover what they say is the first real-world ransomware meant to hit Macs. If you've downloaded torrenting software recently, you may be at risk.

Claire Reilly Former Principal Video Producer
Claire Reilly was a video host, journalist and producer covering all things space, futurism, science and culture. Whether she's covering breaking news, explaining complex science topics or exploring the weirder sides of tech culture, Claire gets to the heart of why technology matters to everyone. She's been a regular commentator on broadcast news, and in her spare time, she's a cabaret enthusiast, Simpsons aficionado and closet country music lover. She originally hails from Sydney but now calls San Francisco home.
Expertise Space, Futurism, Science and Sci-Tech, Robotics, Tech Culture Credentials
  • Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
Claire Reilly
3 min read

Apple has been targeted with a malware attack designed to hold Macs to ransom.

Josh Miller/CNET

Sorry, Mac fans. Now you're no better off than regular old PC users.

Security researchers have discovered what they believe to be the first-ever ransomware attack targeted at Apple users that actually made it out "into the wild," meaning it's a genuine threat. And in bad news for downloading fiends, it's being spread through torrenting software.

The problem was first detected Friday, when a team of researchers at Palo Alto Networks found a popular BitTorrent client for Apple's OS X software for Macs that was infected with the ransomware, which they have dubbed "KeRanger." The BitTorrent software in question is Transmission, which Mac users can install on Apple's OS X operating system and then use to access shared files in so-called torrent swarms (which, let's not lie, is usually pirated content).

It's not the very first time Mac-targeting ransomware has been detected by security experts. In 2014, Kaspersky Labs discovered such software, though it wasn't complete at the time.

KeRanger, by contrast, marks the arrival of truly dangerous ransomware on the OS X platform.

"This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom," Palo Alto Threat Intelligence Director Ryan Olson told Reuters on Sunday.

Watch this: The horror! Mac users must beware of ransomware (like everyone else)

It's an unwelcome arrival for Apple fans, who have long heralded the Mac as an untouchable rival to Windows PCs. While PCs periodically make headlines for being targeted with viruses, malware and any number of digital infections, Mac users have largely been able to avoid serious antivirus talk. Until now.

The stakes are high with KeRanger. Ransomware is designed to infect a computer and then put the owner in a bind, locking up files or functionality and essentially bricking the device until the user pays to have the problem neutralized. This particular piece of ransomware brings with it a $400 ransom note.

If a user installed one of the infected versions of Transmission, an executable file embedded within the software would run on the system. At first, there'd be no sign of a problem. But after three days, KeRanger would connect with servers over the anonymous Tor network and begin encrypting certain files on the Mac's system.

"After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files," the researchers wrote in their findings. "Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data."

The Palo Alto Networks team notified both Apple and the Transmission Project on March 4. Since then, they say Apple has revoked the security certificate exploited by KeRanger and updated its XProtect antivirus software. Apple declined to comment for this story.

The researches also note that Transmission has removed the affected versions of the BitTorrent installer from its website.

If you directly downloaded the Transmission installer from the official website on March 4-5, 2016, you may have been infected by KeRanger. Even if you downloaded it elsewhere or at another time, Palo Alto Network's security experts advise taking extra precautions. Head to their website to find out how to protect yourself.

Transmission is also recommending users should immediately upgrade to and run the latest version of its software, version 2.92, to ensure KeRanger is "correctly removed" if it is present on a user's Mac.

But how did KeRanger make it past the security guards in the first place?

According to Palo Alto Networks, "the KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple's Gatekeeper protection."

Because Transmission is by its own admission an open-source, volunteer-based project, researchers also argue that it's possible the project's official website "was compromised and the files were replaced by re-compiled malicious versions." But even then, the Palo Alto Networks team say they can't confirm how the infection occurred.

The problem might be resolved now, but the incident will no doubt have ripple effects beyond those Mac users that like to dabble in the occasional torrent.

With the first piece of ransomware now found in the wild, the Mac may no longer maintain its reputation as a bastion of security untouched by the virus concerns of its Windows rivals. Now that the citadel has been breached, there may be plenty of people asking just how strong the walls really are.