For the first time, Apple Mac users have been hit with functioning ransomware, a scary variant of malware that prevents users from getting to their data unless they pay criminals a ransom, and which usually deletes peoples' data if you they do not pay the ransom within a few days.
Here is what you need to know:
What does the malware do?
After infecting a user's computer, the new ransomware strain, dubbed "KeRanger" by the folks at Palo Alto Networks who discovered it (or, more accurately, publicized its existence to the public, since criminals were obviously aware of it sooner), lies dormant for three days; after that period has passed the ransomware encrypts files on the user's computer and demands payment of one bitcoin (about $400 today) to unlock the files. KeRanger also attempts to encrypt Time Machine backup files in order to prevent people from recovering their data via backups created using that tool.
Aren't Apple computers supposed to be immune to ransomware?
No computer is immune to ransomware or other cybersecurity threats. Apple does have what is known as Gatekeeper technology that helps prevent rogue software from running, but, the KeRanger malware was signed with a valid Mac application-development certificate, so Mac computers deem it legitimate and run it. For obvious reasons, Apple has since revoked the certificate used to sign KeRanger.
Is ransomware new?
No. Ransomware is not new; Windows users have been hit with various forms of ransomware attacks for years. In fact, there has been Mac ransomware as well, but earlier strains of Mac malware pretended to lock users out of their data, but did not actually do so. In 2014, researchers discovered what they believed at the time was unfinished true ransomware for MacOs, perhaps foreshadowing what was to come. KeRanger is believed to be the first strain known to actually encrypt users' data until they pay a ransom.
Is the existence of Mac ransomware a big surprise?
Not at all. Ransomware has been quite profitable for criminals, which has led experts to predict that it would spread in all sorts of ways. In fact, several of the experts quoted in my article of late last year, Cybersecurity Predictions for 2016 - the Experts Speak, noted that they expected 2016 to bring a great expansion of ransomware attacks.
The reason malware initially targeted Windows users rather than Mac users may not even be technical. As Tim Erlin, Director of IT Security and Risk Management for Tripwire put it, "The malware marketplace is ultimately driven by the population of targets, and Windows outpaces Apple by a wide margin in terms of deployed systems." Simply put, cybercriminals tend to craft attacks that will allow them to make the most money.
How do I prevent getting infected?
The malware presently spreads via infected versions of a Mac application called Transmission; If you are using that software make sure to get the latest version as soon as possible; the new release includes a fix that should prevent the ransomware from installing on your machine.
How do I check if my Mac is infected? What do I do if I am already infected?
The new version of Transmission contains a tool that detects and removes KeRanger. Of course, this needs to be done before data is lost or locked.
If you attempt to run an infected version of Transmission on an updated Mac you should receive a warning message (since Apple has revoked the certificate used to sign the application), but I would not rely on that alone to protect my own data.
Does KeRanger affect iPhones as well?
No. But Nokia researchers have discovered increasingly sophisticated ransomware for Android smartphones, so I would not be surprised if we do see attempts at creating iPhone ransomware in the not so distant future. I expect to address this issue in a future article.
In general, what is the best defense against having to pay a ransom due to ransomware?
Back up often, and keep the back ups completely disconnected from the computers being backed up. That way, if you do get infected by ransomware, you won't lose your data even if you don't pay the ransom. Of course, utilizing proper information security practices (not downloading from rogue websites, not opening unexpected email attachments, etc.) can help prevent many types of infections as well.