Ransomware start preying on Macs: Things you need to do to stay safe!

While users of Windows PCs were often hounded by hackers using ransomware to encrypt their data and demanding payment against release of the same, unsuspecting Mac users are now at the receiving end of the widely-used blackmail programme.

A large number of Apple users were targeted over the weekend by hackers using a ransomware named "KeRanger" malware specifically designed to attack and compromise Macs.

The revelation was made by researchers at Palo Alto Networks Inc who said that this is the first time that Macs were targeted using ransomware technologies.

This malware can change your Android phone's PIN!

"This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom," said Ryan Olson, Threat Intelligence Director at Palo Alto. The firm also explained in its blog how the malware takes control of Macs and proceeds to blackmail users.

"The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data," it said.

WhatsApp users being malware'd through phished messages

The only way for your Mac to be infected is if you have downloaded a Transmission BitTorrent Client installer between 7PM GMT on March 4 and 3AM GMT on March 5. The Transmission installer contained the KeRanger malware before it was blocked by Apple's Gatekeeper and the abused certificate was revoked by Apple.

If your Mac has also been compromised and you've been contacted to pay up or lose your data, here are some things you can do to avoid it:

1. Inform Apple!

2. Check if any processes with the following locations exist in your Mac. If they do, your Mac is infected and you can delete them before they can cause any further damage:

/Applications/Transmission.app/Contents/Resources/ General.rtf

/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf

Google kicks out 13 malicious apps from Play Store

3. You can check the presence of a process named “kernel_service” using Activity Monitor pre-installed in OS X. If there is such a process, you need to check its open files and ports and see if there is a file named “/Users/<username>/Library/kernel_service” which is the main process of KeRanger malware. You can get rid of this file with “Quit -> Force Quit”.

4. You should also check your Mac's Library directory to see if any files named “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” are there. If so, delete them immediately.

Leave a Comment