New Mac OS X ransomware targets Apple users

The first fully functional ransomware targeting Apple’s Mac OS X operating system has been identified by security specialist Palo Alto Networks.

Ransomware, which is malicious software used to extort money, represents a growing threat to users.  The software can encrypt files until a ‘ransom’ is paid in a difficult-to-trace digital currency, such as bitcoins.

Dubbed “KeRanger,” the Mac ransomware was identified by Palo Alto Networks on March 4. “The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014,” wrote Palo Alto Networks researchers Claud Xiao and Jin Chen, in a blog post Sunday. “As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.”

Related: Department of Defense to test its cybersecurity with 'Hack the Pentagon' competition

The ransomware attacked OS X via an open source program called Transmission that is used to transfer data via the BitTorrent file sharing network. “Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4,” wrote Xiao and Chen.

The ransomware waits for three days before connecting to command-and-control servers over the clandestine Tor network. After encrypting users’ data, KeRanger demands that victims pay one bitcoin, worth about $400, to a specific address to retrieve their files, according to Palo Alto Networks.

The company reported the ransomware issue to the Transmission Project and Apple on March 4.

Related:  Your computer mouse may be opening the door for hackers

Apple confirmed to that it has revoked a Mac app development certificate that let KeRanger bypass the tech company’s OS X Gatekeeper protection software. The tech giant also updated its XProtect antivirus software, which means that no-one can install the affected app.

Palo Alto Networks reports that the Transmission Project has removed the malicious BitTorrent client installers from its website. The Transmission Project has also urged users to upgrade from Transmission version 2.90. “Everyone running 2.90 on OS should immediately upgrade to and run 2.92 , as they may have downloaded a malware-infected file,” it said, in a statement on its website, adding that the new version will remove KeRanger.

Related: Hospital pays nearly $17G in bitcoins to hackers who disabled computer network

Tod Beardsley, security research manager at cybersecurity specialist Rapid7 told that the Mac ransomware underlines the threat posed by malicious software. "The Trojaned BitTorrent client, Transmission, illustrates the chain of trust that end users of all stripes enter into and how it can break down," he explained, via email. "This incident appears particularly sophisticated, since it involves a compromise of a software developer's distribution site and an unrelated and likely stolen signing key."

However, Beardsley believes that the risk to Transmission users is likely small. "The fact that the compromise was discovered and mitigated in under a day means that the end users of Transmission are at fairly low risk; victims would have had to have downloaded the malicious disk image (DMG) installer and executed it in a relatively short window," he said.

The scale of the ransomware threat was highlighted recently when a Los Angeles hospital paid nearly $17,000 in bitcoins to hackers who disabled its computer network.

Follow James Rogers on Twitter @jamesjrogers