Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
OS X Security IT

Apple Has Shut Down the First Fully-Functional Mac OS X Ransomware (techcrunch.com) 124

An anonymous reader writes: Apple has shut down what appears to have been the first, fully-functional ransomware targeting Mac computers. This particular form of cyber threat involves malware that encrypts the data on your personal computer so you can no longer access it. Afterwards, the hackers request that you pay them in a hard-to-trace digital currency — in this case, bitcoin — in order for you to retrieve your files. This ransomware, called KeRanger, was first reported by researchers at Palo Alto Networks. They also noted that Apple has now revoked the abused certificate that was used in the attack and updated its built-in anti-malware system XProtect with a new signature to protect customers.
This discussion has been archived. No new comments can be posted.

Apple Has Shut Down the First Fully-Functional Mac OS X Ransomware

Comments Filter:
    • by __aaclcg7560 ( 824291 ) on Monday March 07, 2016 @02:43PM (#51654797)
      You wipe your hard drive and restore from a backup.
      • by rworne ( 538610 ) on Monday March 07, 2016 @02:56PM (#51654881) Homepage

        This bit of malware is reported to look for and encrypt/corrupt any Time Machine backups.

        • by Anonymous Coward on Monday March 07, 2016 @03:12PM (#51654965)

          They'd make more money by patenting (and then actively trolling and/or comercializing) this revolutionary technology that can encrypt off-site backups.

          Because your backups are off-site... right?

          • by Anonymous Coward

            Right, because our collective mothers and grandmothers are are thinking of, not to speak of capable of, doing anything other than what's already built in.

            • by Wycliffe ( 116160 ) on Monday March 07, 2016 @03:51PM (#51655213) Homepage

              Right, because our collective mothers and grandmothers are are thinking of, not to speak of capable of, doing anything other than what's already built in.

              I think there are plenty of apps that are user friendly enough for semi-literate computer years (grandmothers or otherwise). The big problem I see holding back offsite backups is the stingy upload speeds. The FASTED upload speed I can currently get is 512k and it takes multiple calls to tech support to even find out what your upload speed it. The upload speed also barely changes, if at all, whether you go with the 1M package or the 10M package. Even if they just opened up the upload speed at night, this would help the average user have access to better online backups.

              • by Anonymous Coward

                I have 2 time machine backup disks. I keep one at home and one at work and switch them every so often. My car has tons of bandwidth.

              • The FASTED upload speed I can currently get is 512k and it takes multiple calls to tech support to even find out what your upload speed it. The upload speed also barely changes, if at all, whether you go with the 1M package or the 10M package. Even if they just opened up the upload speed at night, this would help the average user have access to better online backups.

                This is deliberate so that businesses will pay business rates. If you want fast upload, you have to buy a business package.

                • This is deliberate so that businesses will pay business rates. If you want fast upload, you have to buy a business package.

                  Maybe so but I live in a residential neighborhood and have tried to get a business connection and I still can't and even if I could, this doesn't help the average internet user. There are probably quite a few new or potential technologies that are being hampered by this, not to mention would-be entrepreneurs. I think upload speeds should be part of net neutrality as limiting upload speeds stifles innovation. We would also all be better off if there were more creators instead of the average internet user

                  • This is deliberate so that businesses will pay business rates. If you want fast upload, you have to buy a business package.

                    Maybe so but I live in a residential neighborhood and have tried to get a business connection and I still can't and even if I could, this doesn't help the average internet user. There are probably quite a few new or potential technologies that are being hampered by this, not to mention would-be entrepreneurs. I think upload speeds should be part of net neutrality as limiting upload speeds stifles innovation. We would also all be better off if there were more creators instead of the average internet user being restricted to being only a consumer of bits.

                    Oh I don't disagree with you - just saying why the telcos make it so.

          • Think you mean off-site, and not synchronized and off-line...
            Yes, I do hard" encrypted backups but between "da cloud" hype and, frankly the convenience of on-line solutions ranging from Gdrive to rolling an OwnCloud server (great! try it) there's probably a whole bunch of folks for whom "off site backup" actually means "another unsecure attack surface"

          • Re: (Score:2, Informative)

            by barc0001 ( 173002 )

            Yes, I'm sure most home Apple users take weekly backups and drop them in their safety deposit boxes. Just like they constantly update their virus scanners.

            Or they do neither of those things because Apple's marketing drum that's been beating for the last decade has been "you can't get malware and just use Time Machine to be perfectly safe!"

            I'm not saying Apple is completely at fault, but they did go out of their way to make it sound like they take care of everything.

            • Yes, I'm sure most home Apple users take weekly backups and drop them in their safety deposit boxes.

              I'm sure PC users do as well.

              I'm working with a guy who had a windows 10 update bitch his computer up. No backup at all. We'll probably use Linux to retreive his data.

              At least Apple users don't have their number one enemy be their OS provider.

            • by Anonymous Coward

              The fundamental problem of the constant Apple vs WinTel argument or the iPhone vs Android argument is that almost all of the arguments are presented by people who are firmly encamped on one side and are blind to the degree to which they are unfamiliar with the other side. Moreover, the Dunning-Kruger effect is particularly telling in this regard: not only is the knowledge of the other side incomplete, individuals will overestimate their competence when their capabilities and/or knowledge is limited and und

          • They'd make more money by patenting (and then actively trolling and/or comercializing) this revolutionary technology that can encrypt off-site backups.

            Because your backups are off-site... right?

            Off site doesn't help if the backup files/drive remain accessible from the infected computer.

        • This bit of malware is reported to look for and encrypt/corrupt any Time Machine backups.

          That's one form of backup, but it shouldn't be your only backup. I periodically clone the drive partition to external hard drives and copy disk images to the file server.

          • This bit of malware is reported to look for and encrypt/corrupt any Time Machine backups.

            That's one form of backup, but it shouldn't be your only backup. I periodically clone the drive partition to external hard drives and copy disk images to the file server.

            R'Amen to that. Hourly auto-backups (Time Machine) are great, but are not enough! Periodic (monthly) cloning to an external drive that you store in a different location is closer to a full backup scheme. I have two externals, and alternate them in my monthly backups, but for time's sake, do incremental backups.

            My extra step is, once a year or so, to do a full clone to yet another external (or just keep the HD when I buy a new computer or upgrade storage). Why? I have a 23-year scientific body of work o

          • As far as I can tell, Time Machine is intended as an easy solution that's lots better than not having any backup scheme. My backup strategy is more effective, but then I actually know I need one, and actually consciously have one.

        • by spire3661 ( 1038968 ) on Monday March 07, 2016 @03:29PM (#51655095) Journal
          Its not a backup if its write-accessible to the originating machine. Backups are stored OFFLINE or at least employ a physical/logical gap. Time Machine is more of a hot spare than a backup in this context.
        • Glad my backups are append permission only at the hardware level.
        • by romanval ( 556418 ) on Monday March 07, 2016 @04:20PM (#51655377)

          It tries but fails. Time Machine Backups are are read-only to everyone except the backupd process (which runs as root). The malware doesn't run as admin.

        • by BlackPignouf ( 1017012 ) on Monday March 07, 2016 @04:50PM (#51655543)

          No need to do anything to corrupt Time Machine backups.
          Those weird non-standard Time Machine directory hard links do a great job of messing backups already.

  • by Anonymous Coward
    Congratulations Mac, you final have a large enough installed base that malware developers are starting to support your platform. Maybe someday game developers will support it as well.
    • Congratulations Mac, you final have a large enough installed base that malware developers are starting to support your platform. Maybe someday game developers will support it as well.

      Seriously. If code is well-written, with portability in mind, then there is absolutely no reason for games to not come on Mac at release.

      And yes they are written to be portable –PlayStation, Windows 7 or 8 or 10, Linux, X-Box. FFS, if a game is ported to Linux, then it should be trivial to slap together an interface for Mac OS X—It's based on the BSD of UNIX.

  • by Anonymous Coward

    Gatekeeper is the real problem. It only checks the certificate on the first app in a package, then lets any other app, legit or malware, through without checking. Bundle in malware and it gets right through. Apple only blocks the certificate the developer of Transmission was using. So, all they are doing is blocking the first app's certificate, Transmission. That's just a bandaid patch on the real problem, Gatekeeper itself. All that has to be done is to repackage the same malware with the new app, or

    • This incident had nothing to do with what you describe. And was stopped because the offending certificate got yanked and blocked by Apple, so in this instance Gatekeeper worked exactly as it should.

      What you're talking about is a problem, no question 'bout that, just not this time

    • by AHuxley ( 892839 )
      Re AC and the "All that has to be done is to repackage the same malware with the new app, or some other app, and it will happen again." issue.
      That is the problem. All that can be done by most protective offerings is to look at past reported issues and get that detail out to all users.
      Actual understanding of what is been run, what other code an application could download with and then alters is still a missing step in real time.
      If the application is not reported, it will pass as clean and can run and so
  • Software developers invested this much effort in finding legitimate uses for Bitcoin? Crapware like this only helps to reinforce the notion that Bitcoin is only used by the criminal underground.

    • by geekmux ( 1040042 ) on Monday March 07, 2016 @03:33PM (#51655115)

      Software developers invested this much effort in finding legitimate uses for Bitcoin? Crapware like this only helps to reinforce the notion that Bitcoin is only used by the criminal underground.

      Well, actually it reinforces the purpose of anonymous transactions.

      Let's not sit here and pretend that cash transactions (a.k.a. the other side of the coin) are somehow not heavily relied upon within the criminal community, and for the exact same reasons that bitcoin is.

      Criminal activity will be a side effect of anonymous transactions no matter the medium. What should concern us more is when anonymous transactions are made 100% illegal, even for legitimate privacy reasons.

      • Comment removed based on user account deletion
  • by nyquil superstar ( 249173 ) on Monday March 07, 2016 @03:20PM (#51655023)
    So if you've already been infected and locked, this seems like it would shut down any avenue of unlocking your files. Maybe there aren't already people actively locked, but this seems like it would be a problem. Anyone know any more?
    • The malware was bundled on the 4th and was waiting 3 days before it started encrypting files (which would be today). The executable was disabled during weekend.
    • by Lisias ( 447563 )

      I don't know if this is the "best" option, but I would withdraw the harddisk from the machine and mount it on a clean machine to check for damages and so the salvage.

  • by Grishnakh ( 216268 ) on Monday March 07, 2016 @03:28PM (#51655079)

    Apple is depriving these software writers of their rightful revenue, and hopefully they'll be sued for it, and better yet a law passed banning this kind of practice. This is no different than ad-blocking and script-blocking software, which prevents upstanding advertisers from running JavaScript software on peoples' computers and rightfully earning revenue from it.

  • Apple would decompile the code for the malware and file a patent on it. Then dispatch the FBI to stake out the courthouse in Tyler, TX until the malware writers file a troll suit.

  • That was fast (Score:4, Interesting)

    by Sir Holo ( 531007 ) on Monday March 07, 2016 @03:47PM (#51655181)

    Well, that was fast. One day.

    Sure, it's not a system patch but a certificate revocation, but still a responsibly swift resolution.

    BTW, it was a malware Trojan, likely a double-Trojan, injected between the unwitting developer and the unwitting downloader, using the compromised certificate. Whether in transit if http downloaded, or by some other exploit, I dunno. Those more expert than me can answer that one.

    It was not a virus. It was a Trojan inserted by a third party. I understand that it (probably) affected Linux and Windows as well. Please, everyone, just use proper terminology. It aids discussion.

  • by Anonymous Coward

    Bit coin is neither anonymous nor hard to trace. How long must we put up with this shitty reporting of disinformative nonsense?

  • Aghast (Score:4, Funny)

    by PopeRatzo ( 965947 ) on Monday March 07, 2016 @04:10PM (#51655311) Journal

    I live in fear that some ransomware is going to encrypt my collection of ASCII porn, so I've been printing it out little by little on my Okidata 320. The good news is that I'm protected from ransomware, but the bad news is my house is now a serious fire hazard. Stacks of paper everywhere.

    • I live in fear that some ransomware is going to encrypt my collection of ASCII porn, so I've been printing it out little by little on my Okidata 320. The good news is that I'm protected from ransomware, but the bad news is my house is now a serious fire hazard. Stacks of paper everywhere.

      Don't worry too much. Neat stacks of paper are no more of a fire hazard than are wooden supports or furniture. Tightly-stacked paper does not burn well, which is why we have historical documents from many great minds, even though their will stated "burn all of my notes at death."

      It's messy piles of crumpled paper, mixed in with pizza boxes (+ cheese), empty Cheetos bags, and semi-empty whiskey bottles that is the real fire hazard.

      • It's messy piles of crumpled paper, mixed in with pizza boxes (+ cheese), empty Cheetos bags, and semi-empty whiskey bottles that is the real fire hazard.

        Now you tell me.

    • by Scoldog ( 875927 )
      Just wait until you see "lp0 on fire" on your greenscreen CRT terminal
  • Ransomware canary (Score:5, Informative)

    by GlobalEcho ( 26240 ) on Monday March 07, 2016 @04:16PM (#51655351)

    I wonder how useful it would be to keep a "Ransomware canary" around. I'm thinking of, say, a Word .doc file on a network drive. A process on some separate computer then checks its entropy every few minutes to make sure it has not grown huge.

    The idea fails for local files because (as I recall) the more sophisticated ransomware inserts itself as a filesystem driver.

    • I wonder how useful it would be to keep a "Ransomware canary" around. I'm thinking of, say, a Word .doc file on a network drive. A process on some separate computer then checks its entropy every few minutes to make sure it has not grown huge.

      The idea fails for local files because (as I recall) the more sophisticated ransomware inserts itself as a filesystem driver.

      Or tripwire which I think should protect very well against cryptolocker type attacks:
      http://hints.macworld.com/arti... [macworld.com]

  • by AnalogDiehard ( 199128 ) on Monday March 07, 2016 @04:40PM (#51655475)
    Microsoft bows to Hollywood and the Feds while dragging its heels while users suffer from malware.

    Apple tells the Feds to take a hike and focuses its resource to kill a nasty ransomware within a day.

    Go Apple!
  • I'm glad they finally got rid of iTunes... oh wait...

Do you suffer painful hallucination? -- Don Juan, cited by Carlos Casteneda

Working...