On a regular basis, you continue to hear about how ransomware has hit a variety of different businesses and their computers/ Windows computers that is! Well, Mac users, you are not left out of the party anymore. Last week a new malware known as KeRanger has been reported by Claud Xiao from Palo Alto Networks and is the first to target Mac computers.
While KeRanger was targeting Mac OS X, its behavior is quite similar to Windows-based ransomware. Once it has infected your system, KeRanger sits dormant for 3 days. After 3 days have passed, it will search for a variety of file types and encrypt any it finds in the /Users and /Volumes directories. The malware will then display a ransom message, demanding that the victim pay the ransom using bitcoins in order to get their data back. Interestingly noted, KeRanger appears to still be under active development and “is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data”. Of course everyone back up their data offsite, right?
Since the malware was signed with a valid Mac Developer ID the malware could bypass OS X’s Gatekeeper feature, which is designed to block software from untrusted sources. The good news is Apple has already added detection to XProtect and revoked the developer certificate used to sign it. However, it’s important to note that if you have already run the infected copy the malware this will not prevent you from opening it again because your Mac will consider it safe since it was already opened.