2017 Ransomware Mac Risk: Are You Protected Against the Newest Threats?
Just when Mac users thought they were safe. New reports show that ransomware mac threats are on the rise. What was once considered a Windows-only problem is now causing headaches for macOS users too.
It was only a matter of time.
Ransomware is exploding. In 2016, there were as many as 56,000 total infections in a single month. IBM found that 40% of all spam email now contains ransomware. Roughly 20 percent of businesses who paid the ransom shelled out more than $40,000. Attackers are getting more aggressive and targeting a wider range of users to maximize their earning potential.
Mac users: that now means you, too.
Here’s what we know so far.
New Reports of Ransomware Mac Infections
Just last month, a new form of ransomware Mac virus was found circulating on BitTorrent sites. And it’s not a particularly nice one, either. Traditionally, when you pay a ransomware demand, the program is usually kind enough to give you the decryption keys you were promised.
But as TechRadar explains, this new ransomware program “sends files on a one-way-trip to Davy Jones’ locker.” In other words, it locks your data and throws away the key, regardless of whether or not you pay.
Paying the ransom is never a guarantee you’ll get the decryption keys, the FBI warns. But with this particular form of ransomware, it’s pretty much guaranteed you won’t get them.
A Closer Look at OSX/Filecoder.E
The ransomware is called OSX/Filecoder.E, as coined by the malware researchers who discovered it. It’s hidden in a program known as Patcher, which purports to be a “crack” that enables users to pirate software without a license key. In this case, it claims to be a crack for Mac versions of Adobe Premiere Pro, Microsoft Office and possibly other product suites.
Researchers say the ransomware is not very well designed. PC World writes, “It is written in Apple’s Swift programming language by what appears to be an inexperienced developer, judging from the many mistakes made in its implementation.”
Here are some of its flaws:
- The installer does not have a developer certificate issued by Apple. That’s good news for users of the newest versions of OS X, because the OS will attempt to stop the installation unless users override the default security settings.
- The ransomware program doesn’t seem to have a way to connect with an external server, in part because the single encryption key it generates is locked along with all the other files. So in essence, the key is destroyed. And while that may sound cruel, it probably wasn’t the intention of the hacker. (Otherwise, why program it to generate the key at all?)
- This means that your ransom payment is a one-way street. One small text file, named README!.txt, remains on your Mac, with step-by-step instructions on how to pay the ransom in the form of Bitcoin. Make no mistake: the hackers will indeed receive your money. But they likely won’t know which attack it’s for, and they wouldn’t be able to provide the decryption key even if they wanted to.
- Another interesting flaw: besides the whole “I-paid-the-ransom-and-got-nothing” problem, the user interface is terrible! ESET, the researchers who found the ransomware, pointed out that the program’s window is transparent, so it blends right into the desktop background. Also, if you close the window, it can’t be reopened.
Could this version of Mac ransomware be somewhat of a Beta test for a more aggressive version to come? Possibly. But why would the attackers care? As currently designed, the program is mostly doing its job: it locks the files and tells users to pay up.
Can It Be Cracked?
OSX/Filecoder.E may be poorly designed, but the encryption is solid. When successfully installed, the ransomware works quickly to lock files in your Mac. It stores those files in encrypted zip archives. And like most ransomware, the encryption is too strong to crack.
The researchers at ESET explained, “The random ZIP password is generated with arc4random_uniform, which is considered a secure random number generator. The key is also too long to [decipher with] brute force in a reasonable amount of time.”
How Much Damage Has It Done So Far?
Not much, apparently.
While it’s difficult to say how many Macs have been infected with the ransomware, or how many of those devices actually had their data encrypted, we do know the hackers aren’t making much money, yet.
TechRadar noted that you can check the Bitcoin wallet that is specified in the instructions. As of last month, no payments had been listed. This means that no Mac users had actually paid the ransom yet.
Then again, this particular ransomware was only discovered last month, and it’s targeted to a very small demographic (Mac users on BitTorrent sites), rather than the general population. Also, the ransomware is still “in the wild,” so the risk of infection is still present.
2016: KeRanger Makes a Bold Debut
In 2016, researchers discovered the first serious macOS ransomware threat. Dubbed KeRanger, this too was being spread via torrenting software.
Researchers at Palo Alto Networks discovered the ransomware infection within a program called Transmission, a popular BitTorrent client for OS X.
KeRanger was an executable file embedded within certain versions of Transmission. Installing Transmission will thus also install KeRanger. And, unlike the buggy Filecoder.E ransomware, these versions of Transmission were signed with a legitimate Apple-issued certificate.
The ransomware would remain dormant for three days, so the user wouldn’t immediately know anything was wrong. After three days, the program connected with servers (over the anonymous Tor network) and would begin encrypting files. Once encryption was complete, KeRanger notified the user via text file, which demanded one bitcoin (valued at around $400 at the time) and provided instructions for sending the payment through a specific Tor network website.
After the ransomware was reported, both Apple and the developers of Transmission worked quickly to curb the risks of infection. Apple revoked the installer certificate and updated XProtect signatures to cover the family of malicious installers. Additionally, Transmission removed the infected installers from its website.
2014: The Origins of FileCoder
While KeRanger was widely considered the first serious ransomware threat for Mac users, researchers had discovered other threats even earlier.
In 2014, Moscow-based Kaspersky Labs discovered traces of ransomware that were targeting Mac users, primarily in Australia.
The company wrote in its findings:
“Users first became aware of these infections after their iOS and OS X devices’ ‘Find My iPhone’ sound alert began going off. Upon looking at their phone screens, users were presented with a message saying: “Hacked by Oleg Pliss. For unlock YOU NEED send voucher code by 100 $/eur one of this (Moneypack/Ukash/PaySafeCard) to firstname.lastname@example.org.”
Researchers determined that users’ accounts were likely compromised by phishing attacks. However, the good news was: despite the warning on users’ screens, the ransomware was incomplete and not fully functional.
How to Remove Ransomware from Mac
- If your files aren’t yet encrypted: It’s unlikely that you have any known type of ransomware on your system, unless you downloaded an infected version of Transmission in March 2016 (and you only installed it within the last 3 days). However, if that does apply to you, Palo Alto Networks recommends the following steps:
- Use Terminal or Finder to check for /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf. If they exist, the Transmission application is infected. Delete it.
- Using “Activity Monitor,” check if any process named “kernel_service” is running. If so, double click the process, choose “Open Files and Ports” and look for a file named like “/Users/<username>/Library/kernel_service”. If you see it, that’s KeRanger at work. Force Quit immediately.
- If your files are encrypted: You don’t have many options here. If you have a backup, you can use that to restore OS X with all your files. Or, you can wipe OS X completely and start from scratch.
Should You Pay the Ransom?
No. As noted above, there’s no guarantee you’ll get your files back by paying the ransom. Cybersecurity experts and the FBI strongly advise not paying the ransom. However, you should contact law enforcement immediately. That recommendation applies to individual users as well as organizations. Reporting the incident is important for authorities, but also, law enforcement might have additional tools and resources to assist you in recovering your files.
2-Step Ransomware Protection
Protecting yourself or your business from ransomware is a two-pronged approach: prevent it from occurring in the first place, and be able to recover your data if you’re attacked. It’s especially critical for businesses to thoroughly detail and customize this approach within their business continuity planning.
- Install anti-malware / anti-virus software. Use well-known virus protection solutions and ensure that they are set to regularly update and scan every Mac (and other machines) on your network.
- Back up data regularly. Having a dependable backup solution is the only way to ensure you can get your data back if it’s been locked by ransomware.
Some technology companies are working to combine both steps into a single solution for businesses. Datto, which is already known as a leader in BC backup and recovery solutions, has built ransomware detection into its offerings. So if an infection is identified, administrators are notified to rollback to a clean backup right away.
Contact the business experts at Invenio IT for more information on how your organization can protect its business-critical systems from ransomware and other disaster scenarios. Learn more at www.invenioIT.com, call (646) 395-1170 or email us at [email protected].