‘KeRanger’ explained: Why this new Mac ransomware poses a serious threat

2016 is well on its way to becoming the year of ransomware, which should come as no surprise to anyone following the threat landscape. Cyber-extortion’s newest kid on the block is called KeRanger and I think it’s set to change the ransomware game forever, by significantly widening the potential victim base.

What is ransomware?

If you haven’t heard of ransomware, it’s a class of malicious software that’s designed to take your computer, or its data, hostage so that attackers can extort you to get control back. Ransomware variants have double or tripled over the past few years, and many effective new variants have already victimized users this year, including the likes of Locky and Ransom32. Although it has just recently gained steam, this type of attack is probably a lot older than you might think, the first example being the AIDS trojan that came out via floppy disc in the late 80s. Since then, criminals have created many different types of ransomware, from threats that try to prevent your computer from booting, to ones that display fake police messages. However, it wasn’t until late 2013 that cyber criminals really became efficient at making money with ransomware.

What changed? Attackers discovered and perfected crypto-ransomware. Crypto-ransomware is a class of ransomware that finds and encrypts important files on a victim’s computer. Today’s crypto-ransomware (e.g. CryptoLocker and CryptoWall) uses strong encryption that’s too tough to crack, it leverages anonymizing networks to protect its command and control servers, and it exploits hard to track payment systems (Bitcoin), making it difficult for authorities to follow the money trail.

Why is KeRanger different and relevant?

While on the surface, KeRanger seems similar to other crypto-ransomware variants — it encrypts your important files, leaves an extortion message, and asks you to pay one Bitcoin ($400 USD) to get them back — three things make it very unique, and even revolutionary.

1. KeRanger is the first crypto-ransomware that effectively targets Apple OS X computers! Apple users tend to think they’re immune to malware. KeRanger proves that this isn’t the case. While researchers and bad guys have experimented with some OS X ransomware samples, none has spread in the wild or encrypted files as effectively as KeRanger.
2. KeRanger leveraged a very sophisticated supply-chain attack to spread. Usually, malware authors spread their ransomware emails with tricky links or attachments, through network or software vulnerabilities, or distributed from their botnets. However, in this case, the attackers actually hijacked the website of a legitimate OS X torrent client called Transmission. They created a “trojaned” version of the installer and even signed it with a legitimate developer digital certificate that OS X’s security components trust. This means anyone that installed this normally legitimate piece of software would get infected without further warning. This level of compromise suggests that fairly sophisticated threat attackers were behind the KeRanger campaign.
3. KeRanger is a port of a Linux-based ransomware variant called Linux.encoder. For the most part, ransomware has primarily affected Windows computers. However, one of my predictions for 2016 was that ransomware would go cross-platform, and affect a wider range of operating systems, including mobile ones like Android and iOS. Seeing these threat actors starting with an experimental Linux version, and modifying it to affect OS X seems to validate that prediction.

How can YOU ward off crypto-ransomware attackers?

Now that you’ve learned a bit about KeRanger, you’re probably wondering how to avoid it. These six tips will help keep ransomware from ruining your day, or your files:

1. Realize Macs aren’t immune to malware! – If you’re an Apple user, it’s time say goodbye to the thought that your Mac is invincible against malware. Macs were never invulnerable to attacks or security problems, despite Apple’s cute marketing campaigns and fan-boys’ claims. Rather, Macs have enjoyed the benefit of security by obscurity. Believe it or not, cyber criminals are money-motivated and look for good returns on their investments. Trying to figure out how to create malware for a less familiar operating system is hard. However, since Macs have become popular, we are now seeing many signs that criminals are starting to target them. Your Mac needs anti-virus too.
2. Don’t be lazy; backup – I know you’re more interested in blocking ransomware altogether, but in security, there is no one perfect solution. Really, the best way to totally mitigate ransomware threats is to ensure that they won’t really affect you even if you are infected. If you back up your files regularly, you can always recover them and move on – even if some shady criminal encrypts them. If anything, ransomware has proved how few people and organizations actually backup their critical data. Give yourself a little cyber insurance by always backing up.
3. Be careful what you click – Most ransomware is delivered through malicious emails that contain shady attachments or web links. Really, you should avoid interacting with unsolicited content in emails, and be careful what you click when browsing the web. Also, I recommend that you only download and install software from trusted sources. For instance, OS X user can now limit their Mac from installing software from anywhere but the Apple store. While sophisticated attackers have occasionally slipped bad software into the store, it’s extremely rare.
4. Use endpoint protection – If you use your laptop or computer outside of your home or office, you need endpoint security suites to protect it. These suites include a Firewall, antimalware software, and other layers of security controls that prevent the most obvious of threats from infecting you. Again, refer to point #1. Even if you are a Mac user, you should be using endpoint security software today.
5. Consider advanced threat protection – If you manage a business network, you may already have many layers of network defense already, which is good. However, consider adding an advanced threat protection (ATP) solution to your arsenal. Legacy antivirus or antimalware solutions rely heavily on signatures to catch new threats. On the other hand, ATP solutions proactively monitor behavior to identify new malware that hasn’t been seen before. Ransomware authors are constantly tweaking their malware to get past signature solutions, literally on a daily or even hourly basis. You need more advanced malware detection solutions to catch the latest threats.
6. DON’T PAY THE RANSOM! – I realize that as I give this advice, not everyone will follow it. When it comes down to it, if you’re a hospital that needs to quickly access a critical patient care file, or you’re a new parent with thousands of videos and pictures in one place, suddenly losing access to these files is unacceptable. It’s a complicated problem, and everyone will make their own decision about just how far they’ll go to regain access. That said, there are two very big problems with paying the ransom. First, these are criminals! There is no guarantee the attacker will recover your data. Second, and much more importantly, paying this ransom encourages the attacker’s behavior. Paying the ransom proves that this is a lucrative cyber crime strategy, which is why ransomware attacks have increased so much in the past few years. Recently, an FBI agent said that in some cases they have to recommend victims pay ransoms if they really need their files back. I, however, think this is horrible advice, and if we keep paying, we should expect to keep getting targeted.

Ransomware is nefarious because it’s a threat that targets all equally. Everyone from the average consumer to grandmothers, to banks, to clinics, to critical infrastructure organizations have important digital data that they value or rely on to do business. Ransomware is effective because it targets that data directly. If you take anything from this article, realize that ransomware is likely going to be the biggest cyber threat in 2016 and that if can affect you no matter what type of computer of mobile device you use. Protect yourself from becoming a ransomware target by keeping the above tips in mind. Take the defense of your important files into your own hands.