Connect with Stay Smart Online
  • RSS feed
Alert Priority Moderate
7 March 2016

Security researchers are reporting a new case of ‘fully functional’ ransomware targeting Apple Mac computers running the OS X operating system.

The report highlights the fact that users of Apple Macs and other Apple devices need to be just as alert to the threat posed by ransomware as users of computers running the Microsoft Windows operating system.

According to the report, attackers targeted Mac users over the weekend with ransomware known as ‘KeRanger’ that encrypts files on infected machines and demands victims pay a ransom in digital currency for the key to recover the files.

The source of the infection is believed to be software used to install Transmission, a product used to transfer data on file-sharing nework BitTorrent, on OS X computers.

According to the reports, the KeRanger malware starts encrypting files three days after being installed. Once the encryption process is completed, the ransomware demands payment equivalent to USD$400 in the digital current ‘bitcoin’ to a specified address for the key.

Transmission is understood to have removed the installers involved, while Apple has revoked a security certificate that allowed the product to bypass some of its security measures. Transmission posted a message on its website that reads: ‘Everyone running [version] 2.90 on OS X should immediately upgrade to and run 2.92 as they may have downloaded a malware-infected file.

This new version will make sure the ‘OSX.KeRanger.A ransomware is correctly removed from your computer. Users of 2.91 should also immediately upgrade to and run 2.92. Even though 2.91 was never infected, it did not automatically remove the malware-infected file.’

Staying safe

Here are some tips that may help your business or family and other members of your personal network recover from a ransomware attack.

Locate the source of infection. You (or a staff or family member) may have opened an attachment to a fake but official-looking email, or visited a website that hosts malicious software (malware). The website may be fake or legitimate but compromised by attackers in order to distribute malware. Once you have identified likely sources of infection, warn your staff and/or family not to interact with them.

Identify the scope and scale of the attack. What files has the ransomware encrypted and how important are they to you, your family or your business? What are the effects of not being able to access these files on yourself, your family or your business? Does the ransomware perform secondary unwanted tasks (such as stealing passwords) as well as locking your files and demanding payment?

To answer these and other relevant questions, you can apply your own knowledge and review your own records of your family’s computer usage, analyse business computer usage records (provided they have not been encrypted) and review commentary online from reputable publications and sources. This exercise will enable you to understand how serious the attack is and the time and resources you should devote to recovery.  

You may be tempted to pay the ransom to unlock your files. Stay Smart Online recommends against this course of action as meeting the criminals’ demands may encourage them to launch future attacks against your computer or files. Instead, you should inform local law enforcement authorities of the incident, including forwarding them the relevant emails and website addresses.

Remove the ransomware infection from your computer. There are tools available to help you remove your ransomware infection. Detailed instructions for downloading, installing and using these tools to eradicate the malware are available online. However, there are no guarantees that using these tools will recover any compromised files or avoid permanent damage to them. Decrypter tools are typically specific to a certain strain of ransomware. Criminals may also update their ransomware at any time to beat decryption attempts that use these tools.  

The best way of restoring access to your files is through a backup system not connected to the computer at the time it was attacked by the ransomware. To do this, you need to maintain regular backups of important files. Stay Smart Online has information about how to do this, and we recommend you seek technical advice if you are unsure about the next steps you should take.

Once you have eliminated the ransomware from your computer, you should educate your family and/or staff not to click on links to websites of dubious origin, or open attachments to emails from unexpected or unknown sources. Use authoritative sources to understand and update yourself on new ransomware variants that may perform other unwanted tasks such as stealing passwords. We also recommend that you keep your antivirus programs and computer systems updated at all times.

Ransomware is a particularly insidious and nasty way of attempting to extract payment from computer users. However, by adopting the right systems and processes, you can minimise the risk of your computer being infected by ransomware, and the impact on your personal and business operations if an infection does occur. 

More information

Stay Smart Online has information on protecting your computer.