Printed from BusinessInsurance.com

Ransomware attack on Apple's Macs reportedly limited

Posted On: Mar. 7, 2016 12:00 AM CST

BOSTON (Reuters) — The first known ransomware targeted at Apple Inc.'s Mac computers was downloaded only about 6,500 times, according to a representative for the Transmission project, whose software was used to launch the attack.

Transmission representative John Clay told Reuters via email that the ransomware was added to disk-image of its software after the project's server was compromised in a cyber attack.

"We're not commenting on the avenue of attack, other than to say that it was our main server that was compromised," he said. "The normal disk image (was) replaced by the compromised one."

He added that "security on the server has since been increased" and that the group was in "frequent contact" with Apple as well as Palo Alto Networks Inc., which discovered the ransomware.

The attack over the weekend was the first ransomware to breach Macs.

Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key to retrieve their data.

Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft Corp.'s Windows operating system.

Palo Alto Threat Intelligence Director Ryan Olson said the "KeRanger" malware, which appeared Friday, was the first functioning ransomware attacking Apple's Mac computers.

"This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom," Mr. Olson said in a telephone interview.

Hackers infected Macs through the tainted program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.

When users downloaded version 2.90 of Transmission, which was released Friday, their Macs were infected with the ransomware, the blog said.

An Apple representative said the company had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. The representative declined to provide other details.

Transmission responded by removing the malicious version of its software from its website, www.transmissionbt.com. On Sunday it released a version that its website said automatically removes the ransomware from infected Macs.

The website advised Transmission users to immediately install the new update, version 2.92, if they suspected they might be infected.

Palo Alto said on its blog that KeRanger is programmed to stay quiet for three days after infecting a computer, then connect to the attacker's server and start encrypting files so they cannot be accessed.

After encryption is completed, KeRanger demands a ransom of 1 bitcoin, or about $400, the blog said.

Mr. Olson, the Palo Alto threat intelligence director, said that the victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission's site.