Cybercriminals continue to develop malicious techniques to poison cyberspace, as the emergence of ransomware suggests
In early March, the discovery of a new piece of malicious software continued the endangering of cyberspace and the internet. The latest piece of software, known as KeRanger, is said to be the first ransomware to target the Mac OS X operating systems.
The software was distributed briefly in an infected version of the installer for the Transmission BitTorrent client. Approximately 6500 Mac users who downloaded the software between March 5th and 6th are at risk, although nobody thus far has reported their data being compromised.
The mechanisms and the behaviour of the malware are somewhat similar to Windows-based ransomware. Once it is installed, the malicious software searches for hundreds of different files and encrypts them. The encryption keys are retrieved from command and control centres through the Tor (a network enabling anonymous communication). The malware will lay in the infected computer for at least 72 hours before being initiated. Once the encryption is completed, a text file is created on the computer named README_FOR_DECRYPT.txt, detailing information on how the victim will be able to get the keys for decryption, demanding a payment of 1 bitcoin (about $408).
The malware was able to bypass the Gatekeeper feature found on Mac OS X by being signed with a valid Mac developer ID. Thus, the Gatekeeper, which is designed to obstruct software from intruding sources, was unable to detect this piece of malware.
This is not the first time ransomware has proven functional on a Mac operating system. Back in November last year, a PoC (point-of-concept) threat, known as Mabouai, was created by cybersecurity researcher Rafael Salema Marques. It was created to demonstrate that Macs were in fact not immune to the threat of ransomware. Though functional, Marques said he had no intention of releasing the malware into the wild.
This latest discovery though has cemented this claim. It was inevitable that such malicious software would come to fruition at some point, whether its creation would be for research purposes or not. It proves that nobody in cyberspace can truly be safe from any of the threats present. Even though that, in this case, Apple was able to revoke the fraudulently acquired certificate, which allowed the malware to get through the Gatekeeper, within 12 hours of its discovery, users should not undermine the possibility of hackers deploying updated versions of the malware through different outlets or means.
Bitdefender, an internet security software company, says that the ransomware may have been a rewritten version of the Linux.Encoder Trojan. The company finds that the behaviours of the malware resemble that of a Linux variant which has been infecting Linux servers in 2016. Furthermore, the company went on to claim that the developers behind the Linux malware either expanded the malicious software to attack Mac operating systems or may have even licensed the software to cybercrime groups who specialise in developing Mac OS threats.
The ransomware discovered for Mac seemed to be a less sophisticated piece of malware due to some flaws in its execution. For example, it was able to be detected within hours due to its use of code signatures from a Turkish company.
Though it would be a mistake to think that the threat ends here. Ransomware is a very serious and growing type of malware which will likely be one of the menaces of computers for the remainder of the year and beyond. Apple, in particular, will be keeping a close eye on its developments, since the company will be a key target for many malefactors lurking around online. But users too should also be careful of the websites they visit and the content they click on and download. Cybercriminals are continuing to find cunning and unsuspecting ways to victimise those especially naive and careless. Thus, be prepared for a host of dangers, with ransomware just being one of them.