Apple has updated the operating system for Mac computers after cybersecurity experts discovered what is believed to be the world’s first fully-functional ransomware that targets OS X machines.
Ransomware, one of the fastest-growing types of cyber threats, typically asks victims to pay ransoms in hard-to-trace digital currencies so they can retrieve their data. It has usually targeted users of Microsoft’s Windows operating system.
But Palo Alto Networks reported Sunday that ransomware called “KeRanger” had infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network. After infection, KeRanger demands a ransom of 1 bitcoin, or about $400.
Another malware application known as FileCoder had been previously discovered but was incomplete at the time it was found. KeRanger “is the first one in the wild that is definitely functional, encrypts your files, and seeks a ransom,” Ryan Olson, director of threat intelligence at Palo Alto Networks, told Reuters.
The KeRanger application was signed with a valid Mac app development certificate. According to TechCrunch, Apple has revoked the certificate and updated its built-in anti-malware system XProtect with a new signature to protect customers.
“The best way for consumers to protect themselves is to update Apple’s malware profiles via Xprotect,” TechCrunch said.
But Olson told Ars Technica he expected ransomware to proliferate.
“It’s now of the most popular criminal business models,” he said. “The fact that it hasn’t made it to Mac shows that it’s had a great amount of success on the Windows side. But the fact that [the malware] was distributed through a legit application demonstrates that we will see this again.”
For its part, Transmission said it had updated its software so the ransomware is automatically removed from infected Macs. Victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission’s site, Olson told Ars Technica.