Yes, Ransomware Can Affect Macs Too

Yes, Ransomware Can Affect Macs Too

A report from security firm Palo Alto Networks has the paranoid corners of the internet freaking out today: The first fully-functional ransomware has been found screwing up people's Macs. But put down the emergency whiskey, and don't panic just yet.

The news that ransomware has come to OS X isn't good. Ransomware is a particularly nasty type of virus, which infects your computer, encrypts all your files, and then demands a monetary ransom to be paid to some mystery hacker, in return for unlocking your files. It's been plaguing Windows users and hospitals (not mutually exclusive) for several years, so the fact that it's spread to OS X in any form is indeed bad.

But before you go burn your electronics and move to a Farady-caged cave, it's worth looking at the details. The ransomware was found in the latest version of Transmission, an open-source torrenting client. It's unclear exactly how the virus got there — someone hacking the project's website, perhaps — but the upshot is that anyone who downloaded Transmission on Friday morning also downloaded a virus. That virus lies dormant for three days, before using a Tor client to connect to a server on the internet, and start locking vulnerable files. A ransom of one bitcoin (around $US400 [$538]) is demanded.

Sounds bad! But here's the good news: it's an incredibly limited attack vector, which relies on a series of unusual circumstances, and easily detected. Users had to explicitly download and run an app in order to be affected; it's not as simple as opening a bad email attachment or clicking the wrong thing in a browser.

So, in order to trick people into downloading the ransomware, someone had to hack Transmission's website (or code) and add in the virus — not nearly as easy as blasting out phishing emails, and far more limited. It's also easy to detect and rectify — Palo Alto noticed the virus within hours of it going live, and Apple removed the signing certificate for the app within a day, meaning the ransomware can no longer be installed. A patch (a newer version of Transmission) is already available on the Transmission site.

So yes, Macs can technically get ransomware, but it relies on a unique set of circumstances far beyond opening a bad PDF. In other words: don't freak out, just choose your shady torrenting client a little better next time. Oh, and back your shit up.

[Palo Alto]



    The impacted users this time had to follow those steps. That's not to say it couldn't have been distributed via a phishing scheme and reached a greater audience as a result.

      Any phishing scheme for this particular ransomware would have needed to do more than just have people open an attachment, it would have needed to persuade them to run an installer as well, and depending on their security settings possibly override their gatekeeper settings. That's not to say that is impossible, just much more limited. The actual attack of compromising a legitimate installer and having people who actually wanted the software seek it out and do the work for you was probably more effective than phishing in this case.

        It quite possibly was more effective over a short period. I'd just argue that a lot of what the article mentions in regards to how the distribution of the malware took place could have happened via other means and that the circumstances at play this time don't necessarily lower or escalate future concerns.

        I'd say the real trick was using a genuine certificate to get the software onto a computer un-noticed. The rest of it is actually probably fairly repeatable, assuming you even need the malware to come from the official server. Previous software has propagated from third party file distribution servers that just happened to rank high in search results for example.

    Apple already ready blacklisted the certificate used to sign the dodgy app. All it proves it that if you install something - overriding whatever security features your OS implements - then an installed app can do things, including encrypting your data. Well der.

    The real issue here is the governance of the transmission open source project. Clearly something went wrong there.

    Last edited 08/03/16 12:19 pm

Join the discussion!

Trending Stories Right Now