With the help of security researchers, Apple over the weekend quickly blocked a cyberattack aimed at infecting Mac users with file-encrypting malware known as ransomware.
The incident is believed to be the first Apple-focused attack using ransomware, which typically targets computers running Windows. [ Deep Dive: How to rethink security for the new world of IT . | Discover how to secure your systems with InfoWorld’s Security newsletter . ] Victims of ransomware are asked to pay a fee, usually in bitcoin, to get access to the decryption key to recover their files.
Security company Palo Alto Networks wrote on Sunday that it found the "KeRanger" ransomware wrapped into Transmission, which is a free Mac BitTorrent client.
Transmission warned on its website that people who downloaded the 2.90 version of the client "should immediately upgrade to 2.92."
It was unclear how the attackers managed to upload a tampered version of Transmission to the application’s website. But compromising legitimate applications is a commonly used method.
"It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred," Palo Alto wrote on its blog .
The tainted Transmission version was signed with a legitimate Apple developer’s certificate. If a Mac user’s security settings are set to allow downloads from identified Apple developers, the person may not see a warning from Apple’s GateKeeper that the application could be dangerous.
Apple revoked the certificate after being notified on Friday, Palo Alto wrote. The company has also updated its XProtect antivirus engine.After it is installed on a system, KeRanger waits three days before connecting to a remote command-and-control server using the Tor system. It is coded to encrypt more than 300 types of files.The ransom is 1 bitcoin, or about $404.There are few defenses against ransomware. Antivirus programs […]
