With KeRanger, Mac Users Are No Longer Immune to Ransomware Threats

Cybercriminals who previously targeted Windows operating systems with ransomware have expanded their customer base to include the Mac OS. Known as KeRanger, it’s the first ransomware variant detected that infects...
Michael Buckbee
1 min read
Last updated April 25, 2022

Cybercriminals who previously targeted Windows operating systems with ransomware have expanded their customer base to include the Mac OS. Known as KeRanger, it’s the first ransomware variant detected that infects Mac users.

Unlike the usual methods of entry, such as phish email, KeRanger victims were instead infected through Transmission, a peer-to-peer file transfer program. Transmission has since removed the infected installers and recommended an upgrade.

KeRanger authors also had a valid Mac Developer certificate, and so they were able to bypass Apple’s Gatekeeper protection. An Apple representative said the company had taken steps to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs.1

What happened during encryption?

Once installed, they waited three days before encrypting the victim’s files. Once activated, the ransomware connects to a Command & Control server over the TOR network and will then begin to encrypt all files under “/Users” and “/Volumes” including files like:

.doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex, .jpg, .jpeg, .mp3, .mp4, .avi, .mpg, .wav, .flac, .zip, .rar., .tar, .gzip, .cpp, .asp, .csh, .class, .java, .lua, .db, .sql, .eml, .pem2

The ransom was 1 bitcoin, or approximately $400 USD.

There will be more!

When Ransom32, the first ransomware written in javascript came out during the new year, we all anticipated that ransomware that would soon infect Mac users because javascript is platform agnostic.

Expect to see more attacks on Macs because the ransomware business model has yielded large returns. How much? We’re talkin’ hundreds of millions of dollars a year.

Further reading on Prevention:

Varonis customers – if you have DatAlert, it can catch and prevent ransomware attacks. Learn more on Connect.

 

 

1http://www.reuters.com/article/us-apple-ransomware-idUSKCN0W80VX

2http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

cyptmix-ransomware-claims-to-donate-your-ransom-payment-to-charity
CyptMix Ransomware Claims to Donate Your Ransom Payment to Charity
Unlike traditional ransomware notes that rely on fear-based tactics, a new ransomware strain called CyptMix preys on your generosity. Part of the ransom note reads: “Your money will be spent...
cerber-ransomware:-what-you-need-to-know
Cerber Ransomware: What You Need to Know
Cerber ransomware is a ransomware-as-a-service (RaaS) application that attacks your files by encrypting your important documents and database files. Learn how to protect your files from and keep your data safe.
a-brief-history-of-ransomware
A Brief History of Ransomware
Ransomware’s Early Days The first documented and purported example of ransomware was the 1989 AIDS Trojan, also known as PS Cyborg1. Harvard-trained evolutionary biologist Joseph L. Popp sent 20,000 infected...
why-did-last-friday's-ransomware-infection-spread-globally-so-fast?
Why did last Friday's ransomware infection spread globally so fast?
Ransomware is a type of malware that encrypts your data and asks for you to pay a ransom to restore access to your files. Cyber criminals usually request that the...