BY CHARLEI BAYLOR
Campus members were contacted by the Information Technology department on Sunday evening regarding the first ever “ransomware” virus known to attack Mac computers.
The term applies to virus loaded onto computer systems that “steals” people’s information from their devices and coaxes victims to pay ransoms in order to get it back.
Hackers used the newest version of Transmission, a file sharing application, to download the virus onto user’s Mac computers.
The issue was caught on March 4 which gave departments about three days to alert as many as possible. The bit torrent, named KeRanger, was scheduled to infect computers on March 7 at 11 a.m.
“We believe KeRanger is the first fully functional ransomware seen on the OS X platform,” Claud Xiao, writer for PaloAlto said.
According to Xiao, the virus was unique in its approach due to its “legitimate certificate” with Apple itself causing it to be able to get around Apple’s firewall systems.
Since the virus was caught, a new version of Transmission has been released that, when downloaded, deletes the previous download, according to Reuters.
The KeRanger application was signed with a valid Mac app development certificate and therefore, was able to bypass Apple’s Gatekeeper protection.
If a user installs the infected apps, an embedded executable file is run on the system.
KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network.
The malware then begins encrypting certain types of document and data files on the system.
After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files.
Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4.
Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems. The two KeRanger infected Transmission installers were signed with a legitimate certificate issued by Apple. The developer listed this certificate is a Turkish company with the ID Z7276PX673, which was different from the developer ID used to sign previous versions of the Transmission installer.
In the code signing information, it was found that these installers were generated and signed on the morning of March 4.