The First Macintosh Ransomware Attacks Apple Users -
Bitcoin Breaking News Brief

The First Macintosh Ransomware Attacks Apple Users


This past weekend Macintosh computers were attacked with a new form of ransomware called “KeRanger.” Reports say the malware started to infect users on Friday, March 4th and users were asked to pay a Bitcoin ransom to unlock their files. This will be the first functioning implementation of its kind targeting the Apple operating system.

Apple_logo_black.svgAlso read: This Turing Complete Platform Aims to Work With Bitcoin

The First Macintosh Ransomware Found By Researchers

A security firm called Palo Alto Threat Intelligence has confirmed the first crypto-locker type malware that threatens Apple users. The program locks a person’s files for 72-hours and asks for the payment of one Bitcoin for unlocking credentials. The research group discovered the software a few hours after it was released publicly. Palo Alto Director Ryan Olson told Reuters they had named the ransomware “KeRanger” and explained the attacks went through a program called Transmission.


Ransomware is disguised as an RTF file

The popular peer-to-peer BitTorrent application contained the ransomware inside the installer’s DMG files. Kaspersky Labs had previously found an unfinished version of this type of malware in 2014 with a program called “Filecoder.” In a telephone interview with Reuters Palo Alto’s Director Ryan Olson explains this release works and “is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom.”

“Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. The two KeRanger infected Transmission installers were signed with a legitimate certificate issued by Apple.” — Palo Alto Threat Intelligence

When the malware was identified Apple had revoked the certificates, and Palo Alto says Gatekeeper now blocks these installers. The drivers seemed to be only available for roughly 48 hours but enough time to attack Macintosh users. Palo Alto has a few step-by-step instructions for those infected with the malware “to identify and remove KeRanger that holds their files for ransom.”


Apple Ransom Note

Olsen details the KeRanger program hides for roughly three days before doing its dirty work. Once the device connects to the hacker’s server, it immediately encrypts important files throughout the computer. When the encryption process completes, it uses a pop-up screen explaining to the user it must pay 1 Bitcoin to a specified address. The ransomware also has a “help ticket system” installed offering answers to questions from those willing to pay the ransom. They only accept the digital currency the attack note reads and also leaves links to information on how to purchase the virtual money.

Apple users are typically not affected by the thousands of malware and virus programs released to the public, so this may be a bad omen for Macintosh proponents. As usual, it’s not good news for the Bitcoin world either as ransomware is becoming increasingly popular. However dedicated researchers like Kaspersky and Palo Alto are curbing these threats by identifying these types of attacks and notifying the public. Now Macintosh users will have to stay aware of these new online assaults and understand their devices can now be infected by ransomware.

What do you think about the KeRanger malware? Let us know in the comments below.

Images courtesy of Palo Alto’s website, and Shutterstock


Jamie Redman

Jamie Redman is a crypto writer and a dragon on Tuesdays. Follow me on twitter @jamiecrypto