The first known working ransomware aimed at Macs contained hints that the cybercriminals were working on a way to encrypt backups in an attempt to force payment, security researchers said today.
Dubbed "KeRanger" by Palo Alto Networks, whose researchers discovered the malware on Friday, the attack code included a non-working "stub" function labeled "_encrypt_timemachine."
"We believe that they had plans to finish [the function] at some point," said Ryan Olson, director of threat intelligence, Unit 42, Palo Alto's name for its research lab. "But they went live a little earlier than they expected."
Palo Alto Networks' researchers Claud Xiao and Jin Chen identified KeRanger early Friday, just hours after it reached the wild, and finished their analysis Saturday. On Friday afternoon, they reached out to Apple to alert the Cupertino, Calif. company of their findings. By Sunday, Apple had revoked the digital certificate used to sign the malware, and Transmission, the company whose free Mac BitTorrent client had been used to distribute the attack code, had removed the tainted version and issued an update to scrub the ransomware.
Because KeRanger contained a three-day, hard-coded delay before executing, the quick work by Palo Alto, Apple and Transmission meant that few if any Mac users had their files locked up, and so did not have to hope they had backups or the $400 to pay the extortionists.
But the criminals were more ambitious than most: They planned to create code that would have encrypted not only more than 300 file types stored on a Mac's internal hard drive, but also on any Time Machine backups.
Time Machine is the backup software baked into OS X. Although Time Machine works with any external drive, Apple sells its own Time Capsule backup devices. Because Time Machine is essentially fire-and-forget once enabled, it's a very popular choice for Mac owners for backing up the contents of their desktop and notebook computers' storage drives.
Ransomware is a very profitable criminal activity, said Thomas Reed, director of Mac offerings at Malwarebytes. "It's the biggest money maker," Reed asserted, of the many ways criminals try to monetize their malware.
The category has victimized computer owners for more than a decade, and while it has, like all malware, changed since it debuted, ransomware has some basic properties: If a machine is infected, the code encrypts all or parts of a drive -- typically by selecting the most valuable file types, like Microsoft Word or Excel documents -- then displays a message demanding payment for the key that will decrypt the data. Increasingly, that payment is in the form of Bitcoin, the digital currency.
KeRanger wanted one Bitcoin, or approximately $412 at Monday's exchange rate.
Sign up for CIO Asia eNewsletters.