First Mac ransomware had sights on encrypting backups, too

The first known working ransomware aimed at Macs contained hints that the cybercriminals were working on a way to encrypt backups in an attempt to force payment, security researchers said today.

Dubbed “KeRanger” by Palo Alto Networks, whose researchers discovered the malware on Friday, the attack code included a non-working “stub” function labeled “_encrypt_timemachine.”

“We believe that they had plans to finish [the function] at some point,” said Ryan Olson, director of threat intelligence, Unit 42, Palo Alto’s name for its research lab. “But they went live a little earlier than they expected.”

Palo Alto Networks’ researchers Claud Xiao and Jin Chen identified KeRanger early Friday, just hours after it reached the wild, and finished their analysis Saturday. On Friday afternoon, they reached out to Apple to alert the Cupertino, Calif. company of their findings. By Sunday, Apple had revoked the digital certificate used to sign the malware, and Transmission, the company whose free Mac BitTorrent client had been used to distribute the attack code, had removed the tainted version and issued an update to scrub the ransomware.

To read this article in full or to leave a comment, please click here