"On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware 'KeRanger,'" the researchers explain. "The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform."The infected installer files, which were signed by a legitimate certificate issued by Apple, contains a malicious executable known as "kernel_service" which pretends to be a RTF file. Upon execution, KeRanger creates three files--“.kernel_pid”, “.kernel_time” and “.kernel_complete”--under ~/Library directory. It then sleeps for three days, all the while sending information about the infected Mac to a command-and-control (C&C) server. The ransomware wakes up again when it receives two lines of encoded data from the C&C server. One of these lines contains an RSA public key, which the malware uses to encrypt all files found in the /Users and /Volumes directories. After all the files have been encrypted, the ransomware displays a ransom note and asks the victims to penny up approximately US$400 in exchange for a decryption key.
"It is a little bit surprising because ransomware has been so incredibly popular for Windows, and mobile platforms," Ryan Olson of Palo Alto Networks told Ars Technica. "It's now of the most popular criminal business models. The fact that it hasn't made it to Mac shows that it's had a great amount of success on the Windows side. But the fact that [the malware] was distributed through a legit application demonstrates that we will see this again."To learn more about KeRanger's functionalities, read Palo Alto Networks' blog post here. For information on how you can protect yourself against ransomware on any OS, please click here.