Apple Has Shut Down the First Fully-Functional Mac OS X Ransomware

An anonymous reader writes: Apple has shut down what appears to have been the first, fully-functional ransomware targeting Mac computers. This particular form of cyber threat involves malware that encrypts the data on your personal computer so you can no longer access it. Afterwards, the hackers request that you pay them in a hard-to-trace digital currency — in this case, bitcoin — in order for you to retrieve your files. This ransomware, called KeRanger, was first reported by researchers at Palo Alto Networks. They also noted that Apple has now revoked the abused certificate that was used in the attack and updated its built-in anti-malware system XProtect with a new signature to protect customers.

So who decrypts your files for you?

[OzPeter]

Apple?

Re:So who decrypts your files for you?

[__aaclcg7560]

You wipe your hard drive and restore from a backup.

Re: So who decrypts your files for you?

[rworne]

This bit of malware is reported to look for and encrypt/corrupt any Time Machine backups.

Re: So who decrypts your files for you?

They'd make more money by patenting (and then actively trolling and/or comercializing) this revolutionary technology that can encrypt off-site backups.

Because your backups are off-site... right?

Re: So who decrypts your files for you?

[__aaclcg7560]

This bit of malware is reported to look for and encrypt/corrupt any Time Machine backups.

That's one form of backup, but it shouldn't be your only backup. I periodically clone the drive partition to external hard drives and copy disk images to the file server.

Re: So who decrypts your files for you?

No, it had stems for that, but there is no evidence it actually had that functionality.

Re: So who decrypts your files for you?

Right, because our collective mothers and grandmothers are are thinking of, not to speak of capable of, doing anything other than what's already built in.

Re: So who decrypts your files for you?

This bit of malware is reported to look for and encrypt/corrupt any Time Machine backups.

No, actually this bit of malware is programmed to look for ignorant users who keep their backup drive plugged in and online all the times.

The intent you've described here is merely a disguise.

Re: So who decrypts your files for you?

[spire3661]

Its not a backup if its write-accessible to the originating machine. Backups are stored OFFLINE or at least employ a physical/logical gap. Time Machine is more of a hot spare than a backup in this context.

Re: So who decrypts your files for you?

[slazzy]

Glad my backups are append permission only at the hardware level.

Re: So who decrypts your files for you?

That is why you backup to a different machine

Re: So who decrypts your files for you?

[Wycliffe]

Right, because our collective mothers and grandmothers are are thinking of, not to speak of capable of, doing anything other than what's already built in.

I think there are plenty of apps that are user friendly enough for semi-literate computer years (grandmothers or otherwise). The big problem I see holding back offsite backups is the stingy upload speeds. The FASTED upload speed I can currently get is 512k and it takes multiple calls to tech support to even find out what your upload speed it. The upload speed also barely changes, if at all, whether you go with the 1M package or the 10M package. Even if they just opened up the upload speed at night, this would help the average user have access to better online backups.

Re: So who decrypts your files for you?

[Bearhouse]

Think you mean off-site, and not synchronized and off-line...
Yes, I do hard" encrypted backups but between "da cloud" hype and, frankly the convenience of on-line solutions ranging from Gdrive to rolling an OwnCloud server (great! try it) there's probably a whole bunch of folks for whom "off site backup" actually means "another unsecure attack surface"

Re: So who decrypts your files for you?

Those aren't really backups. If you thought so before, you now know why you were wrong.

Re: So who decrypts your files for you?

[romanval]

It tries but fails. Time Machine Backups are are read-only to everyone except the backupd process (which runs as root). The malware doesn't run as admin.

Re: So who decrypts your files for you?

[BlackPignouf]

No need to do anything to corrupt Time Machine backups.
Those weird non-standard Time Machine directory hard links do a great job of messing backups already.

Re: So who decrypts your files for you?

I have 2 time machine backup disks. I keep one at home and one at work and switch them every so often. My car has tons of bandwidth.

Re: So who decrypts your files for you?

[barc0001]

Yes, I'm sure most home Apple users take weekly backups and drop them in their safety deposit boxes. Just like they constantly update their virus scanners.

Or they do neither of those things because Apple's marketing drum that's been beating for the last decade has been "you can't get malware and just use Time Machine to be perfectly safe!"

I'm not saying Apple is completely at fault, but they did go out of their way to make it sound like they take care of everything.

Re: So who decrypts your files for you?

[Ol+Olsoc]

Yes, I'm sure most home Apple users take weekly backups and drop them in their safety deposit boxes.

I'm sure PC users do as well.

I'm working with a guy who had a windows 10 update bitch his computer up. No backup at all. We'll probably use Linux to retreive his data.

At least Apple users don't have their number one enemy be their OS provider.

Re: So who decrypts your files for you?

[Sir+Holo]

This bit of malware is reported to look for and encrypt/corrupt any Time Machine backups.

That's one form of backup, but it shouldn't be your only backup. I periodically clone the drive partition to external hard drives and copy disk images to the file server.

R'Amen to that. Hourly auto-backups (Time Machine) are great, but are not enough! Periodic (monthly) cloning to an external drive that you store in a different location is closer to a full backup scheme. I have two externals, and alternate them in my monthly backups, but for time's sake, do incremental backups.

My extra step is, once a year or so, to do a full clone to yet another external (or just keep the HD when I buy a new computer or upgrade storage). Why? I have a 23-year scientific body of work on my computer. (Physical objects are also safely stored – lab books, samples, film negatives, etc.)

cremier has an even savvier addition to the cloning approach. Rather than incremental clones, full archival disk images of those clones stored on some huge HD/RAID/server, as space allows – preferably encrypted. Caveat is that those take a lot of drive and processor time.

Perhaps I should exclude the "Games" Directory from the cloning. That will cut the time in half!

Re: So who decrypts your files for you?

[boarder8925]

Is this true for older versions of Mac OS X, or just 10.11 El Capitan?

Re: So who decrypts your files for you?

Yeah. Portable drives are cheap. One drive for Time Machine, a second drive for monthly snapshots, and a third drive that's a snapshot taken quarterly and stored the in the desk at work. Also iCloud for college work, which also gets backed up to the other drives.

Re: So who decrypts your files for you?

Hard links work fine unless you mess about with them. Backupd knows how to work with directory hard links.

I've been using Time Machine for years, and only lost data when a drive was mechanically failing.

Re: So who decrypts your files for you?

[sociocapitalist]

They'd make more money by patenting (and then actively trolling and/or comercializing) this revolutionary technology that can encrypt off-site backups.

Because your backups are off-site... right?

Off site doesn't help if the backup files/drive remain accessible from the infected computer.

Re: So who decrypts your files for you?

[sociocapitalist]

The FASTED upload speed I can currently get is 512k and it takes multiple calls to tech support to even find out what your upload speed it. The upload speed also barely changes, if at all, whether you go with the 1M package or the 10M package. Even if they just opened up the upload speed at night, this would help the average user have access to better online backups.

This is deliberate so that businesses will pay business rates. If you want fast upload, you have to buy a business package.

Re: So who decrypts your files for you?

[sociocapitalist]

It tries but fails. Time Machine Backups are are read-only to everyone except the backupd process (which runs as root). The malware doesn't run as admin.

Depends on how long the encryption is happening before you realize it vs. how much space you have on your time machine before older backups get erased and encrypted files are stored instead.

Re: So who decrypts your files for you?

A proper backup is an offline backup, not accessible during normal operations.

That's one of the reasons tape drives are still being sold.

Re: So who decrypts your files for you?

[houghi]

Also: there is a difference between hardware failure (a copy is ok) and data failure. If you copy corrupt data, you have lost the data.

Hence incremential backups.

And another one: Test your restore procedure. Restoring data is more important than backing up. If you can't restore there is no need to back up.

When people start talking backup, many look as if I am an idiot when I start talking restore first. Often people have NO idea how to restore data.

How to you get your data back when your PC was fried, you buy a new one and have no idea how to link your NetworkDrive to your PC as your old PC was still Windows95 and you bought a Mac.

Re: So who decrypts your files for you?

[Wycliffe]

This is deliberate so that businesses will pay business rates. If you want fast upload, you have to buy a business package.

Maybe so but I live in a residential neighborhood and have tried to get a business connection and I still can't and even if I could, this doesn't help the average internet user. There are probably quite a few new or potential technologies that are being hampered by this, not to mention would-be entrepreneurs. I think upload speeds should be part of net neutrality as limiting upload speeds stifles innovation. We would also all be better off if there were more creators instead of the average internet user being restricted to being only a consumer of bits.

Re: So who decrypts your files for you?

[sociocapitalist]

This is deliberate so that businesses will pay business rates. If you want fast upload, you have to buy a business package.

Maybe so but I live in a residential neighborhood and have tried to get a business connection and I still can't and even if I could, this doesn't help the average internet user. There are probably quite a few new or potential technologies that are being hampered by this, not to mention would-be entrepreneurs. I think upload speeds should be part of net neutrality as limiting upload speeds stifles innovation. We would also all be better off if there were more creators instead of the average internet user being restricted to being only a consumer of bits.

Oh I don't disagree with you - just saying why the telcos make it so.

Re: So who decrypts your files for you?

The fundamental problem of the constant Apple vs WinTel argument or the iPhone vs Android argument is that almost all of the arguments are presented by people who are firmly encamped on one side and are blind to the degree to which they are unfamiliar with the other side. Moreover, the Dunning-Kruger effect is particularly telling in this regard: not only is the knowledge of the other side incomplete, individuals will overestimate their competence when their capabilities and/or knowledge is limited and underestimate it when their capabilities and/or knowledge is superior. What this means is that the WinTel person that reads /. is not the average WinTel user; they are far more knowledgeable and capable but see themselves, individually, as less capable than -for instance- the MS Certified expert. Meanwhile, the Posix Compliant/ Unified Specification compliant OS user (OS X has been both since 2003 although I think Lion had some issues; BSDs are obviously compliant) reading /. is also not the average user; however, due to the nature of the OS, users come in two varieties, expert and beginner. WinTel users are constantly fighting their machine and although perhaps not as much as what was once the case, this provides an impetus and often an urgency to learning. Nevertheless, the WinTel user eventually reaches a point where their knowledge is sufficient in all the cases they have encountered and unless something makes them feel like a beginner, the learning stops. The *NIX user has a different problem: if you stay in the kiddie pool and use only what is already included, it is hard to get in trouble if you are not using an admin account. Apple has made an art of taking *NIX power and making available to the average user while providing a sandbox (or walled garden if you like) as well as a kiddie pool. So what does the expert *NIX user do that is so much better than WinTel? They use the command line far more often than a WinTel expert wants or needs to -even on a Mac. You say that Apple closes everything down, restricts access to this or that and I say learn UNIX.
So why all of this? Because no one here is an average user. No one here does things the way that the average Mac user or Windows user does; pretending like any of us knows what the average person would do is futile and pointless. No one here has confused an optical drive for a cup holder or turned the machine off and on before logging in (and I have seen multiple cases of both of these events as I am sure some of you have) but most of all, who here has ONLY ONE backup of anything? Who here has ONLY one hard drive? Who here would keep their main backup plugged into their machine?

Time Machine is intended to use two backups. One that you use for everyday oopses and one -that is unplugged 99% of the time- that combined with a fresh copy of the OS directly from Apple, restores your machine to status quo ante. Using only one backup is always a recipe for disaster regardless of how often or how easy. It is far better to have what you had last month than to loose everything because you wanted a constant backup. One huge advantage of Time Machine is that it ingrains into the average user the idea that backups are needed by its very existence.

Re: So who decrypts your files for you?

What I Meant to say was that no one here can really speak to what beginners do or don't do --in either camp-- with any sort of authority and that criticizing the other side because of what someone who just pulled a machine out of a box (even the most jaded WinTel user has to admit that Apple has this down to an art: pull it out, plug it in, and go. No bloatware, no drivers, no validation with MS, etc...) their first home computer will do. They always say the same thing either before or after they bought the machine: I just use it for email and to surf the web. The kids use it for school and what not... The wife does all that face twitter stuff... I don't know... (if you'd like, substitute any male pronoun for a female pronoun) and whenever it breaks down, no beginner says "my Mac broke down" or "my WinTel box broke down" they all say "the damned thing just stopped working and I don't have a clue why!!" to which you ask "what were you doing when it worked last" and you get told "oh I was just puttering around with it"

It takes a lot more than most WinTel users think to infect any *NIX box and there are tools and fixes that the WinTel expert can only dream of but no machine is safe from the biological entity in front of it. Apple does take care of a lot and Microsoft gives you 15 Gb for offsite backup plus you can use your google drive and you can email yourself important stuff that you want to preserve but it takes an active idiotic effort to infect a Mac whereas WinTel machines catch the flu by just walking by some clickbait.

Just in case: I use Windows 7 (I might switch to 10 but 8 sucked period), OS X 11.XX in the beta program (use beta software on my everyday production machine, try that with Windows LOL! ) and Debian (still using Wheezy) and I am thinking of adding a BSD in there and this is just my hobby :-)

Re: So who decrypts your files for you?

[david_thornley]

As far as I can tell, Time Machine is intended as an easy solution that's lots better than not having any backup scheme. My backup strategy is more effective, but then I actually know I need one, and actually consciously have one.

Re: So who decrypts your files for you?

You know what might work for this? Make it so writing to the backup drive requires elevated privileges, have your backup process run with those privileges, and use your computer as a non-admin. Golden.

Re: So who decrypts your files for you?

Of course if you ever get pwnd in a real way, and your root account is compromised, that would suck. The only solution for that is a less frequent offline backup of the backup.

But most OS X malware is really pathetic so far. It mostly relies on user error.

Re: So who decrypts your files for you?

It's not Windows' fault for not him disabling System Restore. Even falling that, why not "refresh" his computer? Seems easy enough. It's just a few clicks into the recovery center, or booted into his install media or recovery partition and be back up in a little bit.

Re: So who decrypts your files for you?

[Ol+Olsoc]

It's not Windows' fault for not him disabling System Restore.

Yeah, yeah, nothing is ever Windows fault. What has been done to you that you would have the ridiculous reaction that Windows can fuck up your computer, and it is your fault?

There is something so fundamentally wrong with what a fucked up system Windows is, and the willinglenes for it's users to put up with them screwing up their computers.

I think that Windows 10 should be renamed Windows Stockholm Syndrome Edition.

so much for the walled garden

I thought certs where going to protect us from this mess. It is nice that Apple yanked this cert, but what is to stop another cert from being bought and used to do the same damn thing?

Re: so much for the walled garden

It looks like the Cert was stolen from a Turkish paint company, who had a customer loyalty App.

Re:so much for the walled garden

[rsborg]

I thought certs where going to protect us from this mess. It is nice that Apple yanked this cert, but what is to stop another cert from being bought and used to do the same damn thing?

Nothing. However, what's good to know is that I no longer have to worry about this one - and the turnaround was pretty quick. Assuming Apple can keep up with any threats like this (it's not like they don't have enough money to justify it), it's just like doing a regular bit of weeding in your garden.

Re:so much for the walled garden

[gnasher719]

I thought certs where going to protect us from this mess. It is nice that Apple yanked this cert, but what is to stop another cert from being bought and used to do the same damn thing?

Apple revoked the cert, and now the threat is gone. So the fact that the software was signed protected you.

You can't buy these certificates. You have to get one from Apple, who will hopefully check out the company. In this case the company that Apple checked was careless and I hope they'll pay the price for that.

Re:so much for the walled garden

Then you are a trusting idiot.

Certs don't protect you from malware, they just make it so the spread of malware can be more easily contained when detected. (as shown here the cert can be revoked and the app itself added to the big list o' malware), and give the user the best chance to avoid malware by showing you who wrote the thing you're downloading.

Apple could potentially protect against ransomware by writing the OS to refuse apps access to files outside their own little corner of the drive (I think iOS does this) then the app could only hold it's own data hostage. But in this case that's probably work somewhat well anyway as the ransomware was packaged with a file sharing program. But that'd come with some negative usability constraints for apps in general.

Re:so much for the walled garden

Agreed and it's one of the major reasons I switched from Microsoft Windows. There's far, far fewer attack vectors with Apple because it's basically unix underneath and they have a paywall for developer certs. And when there is a problem you don't have to have your systems exposed to attack until patch tuesday rolls around (that's if Microsoft ever releases one).

Kudos to Apple, 24 hours and poof, the problem was mitigated. Microsoft should adopt the same model.but it would require a herculean effort to get their products up to the same standard of quality.

Re:so much for the walled garden

[Noah+Haders]

Take a look at System Integrity Protection in the newest version of OS X. it doesn't limit an app to its app corner, but it definitely limits it to userspace. A description from Ars (full page here:

System Integrity Protection does this by severing the automatic kernel-level blessing given to root’s commands. The end result is that in El Cap, root is no longer an account with effectively unlimited access to either the file system or to memory and running processes. SIP places kernel-level checks on root’s privilege that can (in theory, at least, until proven otherwise by an intrepid security researcher) only be bypassed by the kernel itself. SIP’s intention is to keep the operating system’s state—both on disk and in memory at runtime—as it was installed by Apple.

This is a pretty big change from how Unix-like operating systems are "supposed" to work, though it’s not without precedent (Ars IT Editor Sean Gallagher told us that SIP sounds a bit like Trusted Solaris, and this Quora thread has some details on the history of similar "rootless" privilege escalation schemes). Rather than adding yet another superuser account, SIP provides the concept of an additional file system and process flag, and file system objects and in-memory processes so flagged cannot be altered by processes not signed with Apple’s own code signing key.

There’s more, too—the file system protections are only the start. SIP consists of four major features:

        Protected locations cannot be written to by root.
        Protected system processes cannot be attached to with a debugger and cannot be subject to code injection.
        All kernel extensions must now be signed (and old methods for disabling kernel extension signing are gone).
        SIP cannot be disabled from within the operating system, only from the OS X Recovery partition.

Re: so much for the walled garden

[Karlt1]

Apple does that now with programs that use the Mac App Store. It would be nice if it worked with apps outside of the store.

Re: so much for the walled garden

[Wintermute__]

"stolen" uh huh.

Re:so much for the walled garden

[ComputerGeek01]

Microsoft should adopt the same model.but it would require a herculean effort to get their products up to the same standard of quality.

What, you mean authenticating applications based on a central certification authority? Kind of like what this does: https://msdn.microsoft.com/en-... . Or maybe you mean not allowing the installation of any applications that don't posses a preapproved certificate, in THAT case what you want is this feature over here: https://msdn.microsoft.com/en-... . God forbid you would have to learn how to manage your own certificate chains, afterall the documentation is so difficult to find: https://msdn.microsoft.com/en-... . The only thing missing is the paywall, which isn't really missing since you can pay for a third party authority to verify your certificate. But as we can see by the premise of this article that isn't actually a deterrent is it?

The difference between Microsoft and Apple is the same as it has always been. Apple forces you to follow their policies, Microsoft forces you to live with the consequences of the policies you wrote yourself.

Re:so much for the walled garden

No, what certs were going to (and do) get you is the ability to identify who distributed the software, and to black list them from distributing more.

Re:so much for the walled garden

All very nice, I'm sure, but completely irrelevant. Ransomware is such a danger because it doesn't need to break any security or get elevated permissions, just attack the files to which the user has legitimate access.

Re: so much for the walled garden

It looks like the Cert was stolen from a Turkish paint company, who had a customer loyalty App.

One mole whacked.
Film at Eleven.

Re:so much for the walled garden

[tlhIngan]

You can't buy these certificates. You have to get one from Apple, who will hopefully check out the company. In this case the company that Apple checked was careless and I hope they'll pay the price for that.

Apple doesn't check out the company. They shouldn't - after all, Apple should not be censoring programs on OS X as a general purpose PC. What buying a certificate does is validate the payment chain - in order to bill a credit card, you now have the billing address and name of the owner. Presumably the credit card issuer has been able to verify it as a legitimate mailing address (since the card was sent there), etc.

Basically, paying the money means that Apple now has a legitimate address and a way of identifying the developer. In addition, while $99 is not a lot of money, it's still money you hope not to pay again, so when a certificate is cancelled, the developer now has to pony up ANOTHER $99 to pay for a new one. Which is incentive to protect it.

Re:so much for the walled garden

[idontgno]

Well, the $99 is a small barrier to entry. Considering Cryptowall has garnered nearly a third of a billion dollars, there is probably some good money to be had if an enterprising blackhat can get a working ransomware trojan running on OSX long enough to do the trick. More than enough to justfy several $99 developer registrations.

Re:so much for the walled garden

Oh, so when Microsoft puts DRM on the video/audio stack to stop prying fingers it's the end of the world but when Apple does the same thing to their entire OS then it's a gift from god?

Typical ABM ignorant rubbish.

Re:so much for the walled garden

I'm sure Apple would notice the huge increase in certificate requests.

Re:so much for the walled garden

You can't be that dense. One thing is about protecting the user. The other thing is about protecting hollywood's profits.

I'll let you try to guess which is which but I suspect you don't have the mental horsepower to do so.

Dup

[manu0601]

Aren't Slashdot editors supposed to read Slashdot? We already saw that story earlier today.

Re:Dup

[whipslash]

This is a follow up story that Apple actually shut it down.

Re: Dup

No, the earlier article was about the ransom ware .

This article is about Apple mitigating the ransom ware & the resolution.

Completely different.

Oh, you mean that all this occurred in the same 32 hour window before the original storey broke ? Well that's not as interesting now, is it ?

Re:Dup

[manu0601]

Original Slashdot story linked to CNBC article, that said:

An Apple representative said the company had taken steps over the weekend to prevent attacks by revoking a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs.

What new information do we have?

Apple can't have any any one cutting in to there b

[mmiscool]

Apple can't have any one else cutting in to there business.

how did Apple shut them down

The article seems to have said nothing.

Re:how did Apple shut them down

[UnknowingFool]

The cert used has been revoked. Without a working cert, no one can install the app so no new infections. Currently infected customers are another matter.

Re:That make anyone else nervous?

[topologist]

You do realize that you can disable System Integrity Protection, the thing that stops you removing your kernel, C library and such?

Congratulations Mac

Congratulations Mac, you final have a large enough installed base that malware developers are starting to support your platform. Maybe someday game developers will support it as well.

Re:Congratulations Mac

[Sir+Holo]

Congratulations Mac, you final have a large enough installed base that malware developers are starting to support your platform. Maybe someday game developers will support it as well.

Seriously. If code is well-written, with portability in mind, then there is absolutely no reason for games to not come on Mac at release.

And yes they are written to be portable –PlayStation, Windows 7 or 8 or 10, Linux, X-Box. FFS, if a game is ported to Linux, then it should be trivial to slap together an interface for Mac OS X—It's based on the BSD of UNIX.

Re:Congratulations Mac

If code is well-written, with portability in mind, then there is absolutely no reason for games to not come on Mac at release.

Well, 1 reason may be that Macs suck for gaming. Yes, all of them, even the $6000 Pros.

Re:Congratulations Mac

Congratulations Mac, you final have a large enough installed base that malware developers are starting to support your platform. Maybe someday game developers will support it as well.

The hardware isn't exactly fantastic for gaming but there are a lot of games that support OSX on Steam. A third of my Steam library runs on OSX and that includes games like Bioshock, XCOM: Enemy Unknown, Counter-strike, ARMA 3, Metro, and so on...

Gatekeeper is the real problem

Gatekeeper is the real problem. It only checks the certificate on the first app in a package, then lets any other app, legit or malware, through without checking. Bundle in malware and it gets right through. Apple only blocks the certificate the developer of Transmission was using. So, all they are doing is blocking the first app's certificate, Transmission. That's just a bandaid patch on the real problem, Gatekeeper itself. All that has to be done is to repackage the same malware with the new app, or some other app, and it will happen again.

Re:Gatekeeper is the real problem

[AHuxley]

Re AC and the "All that has to be done is to repackage the same malware with the new app, or some other app, and it will happen again." issue.
That is the problem. All that can be done by most protective offerings is to look at past reported issues and get that detail out to all users.
Actual understanding of what is been run, what other code an application could download with and then alters is still a missing step in real time.
If the application is not reported, it will pass as clean and can run and so can other included code thats along for the ride.
Patrick Wardle, Synack had a good video on what could be done for OS X and offer more protection. https://www.youtube.com/watch?...

Re: Gatekeeper is the real problem

Only the first app in the package gets run when you launch the application. (Unless of course the main application launches another process, of course).

Find them. Kill Them.

Apple, Microsoft, etc. should fund a hit squad to find people like this and quietly dispose of them.

Re:Find them. Kill Them.

You're too late.
A bounty has already been posted, and ironically,
will be paid in bitcoin once evidence is accepted.
Too bad it didn't go through KickStarter.

Apple shuts down blah blah malware?

The way I see it, they tweaked their walled garden a bit to protect against THIS specific strain of the ransomware.

Hardly impressive. Hardly news.

What WILL be interesting - in a depressing kind of way - is when this sort of attack begin hitting Apple computers more frequently. I'd like to know if Apple is prepared to deal with that, and how (other than telling their customers "Wipe disk, restore backup").

Re: I thought Macs were secure?

They were.

It's really Apple just playing catch up. I mean this was their first instance of ransom ware , and Windows has had it for how long ?

Apple copy catting again.

And they couldn't help themselves and got all control freaky , shutting it down with their mind control rays. None of this letting ransom ware to fester in the wild for years.

FFS, it was a viable commercial malware product, that had its ROI shut down inside 32 hours of its release into the wild. That's great cooperation between Palo Alto, Appke & the Transmission project.

Do you really think it paid off for the malware authors in that time , and they are simply laughing all the way to the bank ?

Re:That make anyone else nervous?

[Aaden42]

The difference is that all of the XProtect & related functionality can be disabled. It’s not easy to disable it (easy in the sense you’d stumble on it accidentally), and your average parent / grandparent user of Mac OS would never figure out how to disable it. Which is good, because they have no clue of the implications of doing so.

If as a trained and knowledgable IT professional, you want to run completely unprotected, you set some kernel flags in your EFI, and reboot. Execute whatever you like, overwrite anything on the drive as root, no questions asked. That’s probably not a great idea as the vast majority of the time those features protect even seasoned (or is that salty) professionals from shooting themselves in the foot. But if you really want to run something Apple has determined to be dangerous, you can still do it.

My opinion of Apple would fall sharply if they ever removed the disable options on their desktop OS. So long as that option is there, having it default to ON is the right option for the vast majority of users.

Nope

[Imazalil]

This incident had nothing to do with what you describe. And was stopped because the offending certificate got yanked and blocked by Apple, so in this instance Gatekeeper worked exactly as it should.

What you're talking about is a problem, no question 'bout that, just not this time

Wouldn't it be great if....

[supremebob]

Software developers invested this much effort in finding legitimate uses for Bitcoin? Crapware like this only helps to reinforce the notion that Bitcoin is only used by the criminal underground.

Re:Wouldn't it be great if....

[geekmux]

Software developers invested this much effort in finding legitimate uses for Bitcoin? Crapware like this only helps to reinforce the notion that Bitcoin is only used by the criminal underground.

Well, actually it reinforces the purpose of anonymous transactions.

Let's not sit here and pretend that cash transactions (a.k.a. the other side of the coin) are somehow not heavily relied upon within the criminal community, and for the exact same reasons that bitcoin is.

Criminal activity will be a side effect of anonymous transactions no matter the medium. What should concern us more is when anonymous transactions are made 100% illegal, even for legitimate privacy reasons.

Re:Wouldn't it be great if....

Cash is local. Notes can be traced in the mail. bitcoin and chums were designed to hide transactions. It also works globally, allowing little mafia org in Whoknowswhereville to conduct a global program of ransomware from the comfort of their cash laundering tea shop via VPNs and TOR - something you can't do with regular currency.

Re:Wouldn't it be great if....

[houghi]

And for those that think this can only happen because of bitcoin. This happened in the past as well. People where asked to transfer money to Nigeria,

Re:Wouldn't it be great if....

[geekmux]

Cash is local. Notes can be traced in the mail. bitcoin and chums were designed to hide transactions. It also works globally, allowing little mafia org in Whoknowswhereville to conduct a global program of ransomware from the comfort of their cash laundering tea shop via VPNs and TOR - something you can't do with regular currency.

Regular currency is also shipped around the globe to be laundered.

As far as making even electronic transactions rather untraceable, seems many a US Company has done a damn good job of doing exactly that when it comes to paying taxes through offshore holdings. Microsoft and many other companies don't funnel billions through Ireland because they love the scenery.

And ironically, we can label even that loophole activity as a form of ransomware, since they're holding taxpayers accountable for their tax shortfalls while the government refuses to do anything about it.

How do you proceed if you've been infected?

[nyquil+superstar]

So if you've already been infected and locked, this seems like it would shut down any avenue of unlocking your files. Maybe there aren't already people actively locked, but this seems like it would be a problem. Anyone know any more?

Re:How do you proceed if you've been infected?

[Drizzt+Do'Urden]

The malware was bundled on the 4th and was waiting 3 days before it started encrypting files (which would be today). The executable was disabled during weekend.

Re:How do you proceed if you've been infected?

[Lisias]

I don't know if this is the "best" option, but I would withdraw the harddisk from the machine and mount it on a clean machine to check for damages and so the salvage.

Re:Apple can't have any any one cutting in to ther

Apple can't have any one else cutting in to there business.

Where business? Your post doesn't make a damn bit of sense.

Re: Apple can't have any any one cutting in to th

They celebrate ignorance.

Apple should be sued

[Grishnakh]

Apple is depriving these software writers of their rightful revenue, and hopefully they'll be sued for it, and better yet a law passed banning this kind of practice. This is no different than ad-blocking and script-blocking software, which prevents upstanding advertisers from running JavaScript software on peoples' computers and rightfully earning revenue from it.

Mac OS X does *not* have a walled garden

[perpenso]

Mac OS X does *not* have a walled garden. A user is free to install any app downloaded from the internet. Mac OS X will warn them and ask if they really want to do this and then proceed as the user says.

Re:Mac OS X does *not* have a walled garden

[Ol+Olsoc]

Mac OS X does *not* have a walled garden. A user is free to install any app downloaded from the internet. Mac OS X will warn them and ask if they really want to do this and then proceed as the user says.

Hey! Stop screwing with hater's memes. I've got dozens of non app store programs on mine.

Re:Mac OS X does *not* have a walled garden

As long as the user doesn't want to install the program to a place like /usr/local/bin ..

Re: Mac OS X does *not* have a walled garden

Hmm? /usr/local/bin/ is one of the locations third parties are allowed to write to.

Re:Mac OS X does *not* have a walled garden

Mac OS X does *not* have a walled garden. A user is free to install any app downloaded from the internet. Mac OS X will warn them and ask if they really want to do this and then proceed as the user says.

You say this but I don't think you have actually experienced the "process" that you go through to run a unsigned program that you have downloaded from the net.
There are three settings:
"Allow apps downloaded from:"
- Mac App Store (default)
- Mac App Store and identified developers
- Anywhere
There is supposed to be a way to run apps from anywhere without having to set the system wide preference to "anywhere" but it does not seem to work as intended.
(source: Looking at the OSX system preferences window and previous experience in getting my opensource password program to work under OSX)

Re:Mac OS X does *not* have a walled garden

[Guy+Harris]

Mac OS X does *not* have a walled garden. A user is free to install any app downloaded from the internet. Mac OS X will warn them and ask if they really want to do this and then proceed as the user says.

You say this but I don't think you have actually experienced the "process" that you go through to run a unsigned program that you have downloaded from the net.

I.e., control-click, select Open, and then say "yes, I know it's unsigned, I want to run it anyway" when asked, the first time you launch it?

Re:That make anyone else nervous?

[Guy+Harris]

They've already started by making it so that even root is blocked from editing files in locations such as /etc, /usr, and /bin, and blocks root from removing "important system apps" like iTunes and Photos (both of which have third party competitors).

Do they also prevent you from installing those competitors and prevent the competitors from registering to handle the file types handled by default by iTunes and Photos?

I know how to nail these guys

[Applehu+Akbar]

Apple would decompile the code for the malware and file a patent on it. Then dispatch the FBI to stake out the courthouse in Tyler, TX until the malware writers file a troll suit.

That was fast

[Sir+Holo]

Well, that was fast. One day.

Sure, it's not a system patch but a certificate revocation, but still a responsibly swift resolution.

BTW, it was a malware Trojan, likely a double-Trojan, injected between the unwitting developer and the unwitting downloader, using the compromised certificate. Whether in transit if http downloaded, or by some other exploit, I dunno. Those more expert than me can answer that one.

It was not a virus. It was a Trojan inserted by a third party. I understand that it (probably) affected Linux and Windows as well. Please, everyone, just use proper terminology. It aids discussion.

Re:That was fast

It was not a virus. It was a Trojan inserted by a third party. I understand that it (probably) affected Linux and Windows as well. Please, everyone, just use proper terminology. It aids discussion.

Funnily enough, you are the only one in this entire thread (until now) mentioning the word "virus" at all.

And please, everyone, don't call this trojan a Disk Drumpfer. It is not the proper terminology and does not aid discussion in any way.

Just Prototype Testing

The real version is coming, and to Timmy.

Ha ha haa hah hah ha hah ha hWeee hahah hahh ahh Eeee

Since when is Bitcoin "hard to trace?"

Bit coin is neither anonymous nor hard to trace. How long must we put up with this shitty reporting of disinformative nonsense?

Re:Since when is Bitcoin "hard to trace?"

If so, why hasn't the FBI apprehended these criminals (Cryptolocked especially)?
Bitcoin in and of itself isn't anonymous, but you can use tumblers to launder the funds.

I found a link to see it in action

At https://m.youtube.com/watch?v=dQw4w9WgXcQ

Aghast

[PopeRatzo]

I live in fear that some ransomware is going to encrypt my collection of ASCII porn, so I've been printing it out little by little on my Okidata 320. The good news is that I'm protected from ransomware, but the bad news is my house is now a serious fire hazard. Stacks of paper everywhere.

Re:Aghast

[Sir+Holo]

I live in fear that some ransomware is going to encrypt my collection of ASCII porn, so I've been printing it out little by little on my Okidata 320. The good news is that I'm protected from ransomware, but the bad news is my house is now a serious fire hazard. Stacks of paper everywhere.

Don't worry too much. Neat stacks of paper are no more of a fire hazard than are wooden supports or furniture. Tightly-stacked paper does not burn well, which is why we have historical documents from many great minds, even though their will stated "burn all of my notes at death."

It's messy piles of crumpled paper, mixed in with pizza boxes (+ cheese), empty Cheetos bags, and semi-empty whiskey bottles that is the real fire hazard.

Re:Aghast

[Scoldog]

Just wait until you see "lp0 on fire" on your greenscreen CRT terminal

Re:Aghast

[PopeRatzo]

It's messy piles of crumpled paper, mixed in with pizza boxes (+ cheese), empty Cheetos bags, and semi-empty whiskey bottles that is the real fire hazard.

Now you tell me.

Re:That make anyone else nervous?

[PhunkySchtuff]

XProtect isn't the same as rootless.
You're right, to disable rootless (which protects a bunch of system files from being modified/deleted, even as root) you can do this.

XProtect is a signature-based anti-malware system - Apple pushes out silent updates to the signature definitions on a regular basis, but XProtect doesn't save you from shooting yourself in the foot when running as root.

Ransomware canary

[GlobalEcho]

I wonder how useful it would be to keep a "Ransomware canary" around. I'm thinking of, say, a Word .doc file on a network drive. A process on some separate computer then checks its entropy every few minutes to make sure it has not grown huge.

The idea fails for local files because (as I recall) the more sophisticated ransomware inserts itself as a filesystem driver.

Re:Ransomware canary

[sociocapitalist]

I wonder how useful it would be to keep a "Ransomware canary" around. I'm thinking of, say, a Word .doc file on a network drive. A process on some separate computer then checks its entropy every few minutes to make sure it has not grown huge.

The idea fails for local files because (as I recall) the more sophisticated ransomware inserts itself as a filesystem driver.

Or tripwire which I think should protect very well against cryptolocker type attacks:
http://hints.macworld.com/arti...

Re:That make anyone else nervous?

[MachineShedFred]

XProtect does one other thing that is very welcome in most circumstances as well - expiring old versions of browser plug-ins like Java and Flash, which are known to have massive gaping security holes in them.

And, again, if this gets in the way of a proper administrator who is saddled with some ancient piece of shit that requires some ancient plug-in, it can be disabled on a per-plug-in level

Re:That make anyone else nervous?

Do they also prevent you from installing those competitors and prevent the competitors from registering to handle the file types handled by default by iTunes and Photos?

Yes. Not file types, but there are certain behaviors that will always activate iTunes and Photos and there's no way to change them.

Plug an iDevice in, iTunes will always launch. Plug in a set of earbuds that have a "play" button on them, and that Play button will always launch iTunes. Plug in a camera or connect anything OS X considers camera storage (basically anything that's FAT with DSIM on it) and that will always launch Photos.

There is no way to permanently change this behavior, to the point where the recommended method of using a third party photo suite was to "sudo rm -rf /Applications/Photos.app" - which you can't do any more. (The recommended method of dealing with iTunes was to use Automator to create a .app that did nothing and replace iTunes with that. Can't do that anymore, either.)

The key word in what I just said was "permanently" because I'm sure someone will pop up and explain how you can change the default for a single device. There's no way to change it for ALL devices or for devices OS X constantly mistakes as being different. And there's absolutely no way to prevent Play from launching iTunes.

And, of course, the key is "for now." Given the direction Apple is going, it wouldn't be surprising in the slightest if they started blocking apps not downloaded through the App Store. Like, say, Firefox, or any of the various UNIX toolchains compiled for OS X that are available.

Precisely why I jumped ship from Windows to Mac

[AnalogDiehard]

Microsoft bows to Hollywood and the Feds while dragging its heels while users suffer from malware.

Apple tells the Feds to take a hike and focuses its resource to kill a nasty ransomware within a day.

Go Apple!

Re:Precisely why I jumped ship from Windows to Mac

Yeah...sure...
If you believe that, have a bridge to sell you. They don't give a shit about you.

Re:Precisely why I jumped ship from Windows to Mac

Apple's board have already announced they are expecting a huge downturn in selling their products - especially the so-called Macs. The corporation is desperate to generate some them vs us mentality again; and they're using the terrorist protection ruse (very risky) to gain the "us" crowd once more. Something they enjoyed when Microsoft started to become a behemoth.

Re:That make anyone else nervous?

[KGIII]

What you have just said is tantamount to saying this:

"I'm not smart enough to figure it out and if I was then the first thing I'd do is shoot myself in the foot because I want to be the boss of me. You're not the boss of me!"

You *can* (fairly easily) do each and everything you're complaining that you can't do. It's not even difficult. That you don't know how to is a good indicator that you're unqualified to do so. However, if you want to do so then you can - it just means that you're an idiot. It is not complicated - I know how to do it (at least I know the process) and I'm not even an OS X user.

Sure, it is a fine sentiment to want to be in control. And you can be. You're just not qualified to be. We can tell you're not qualified to be. If you were, you'd know how to do this.

Re:That make anyone else nervous?

[Guy+Harris]

There is no way to permanently change this behavior, to the point where the recommended method of using a third party photo suite was to "sudo rm -rf /Applications/Photos.app" - which you can't do any more.

...unless you turn off System Integrity Protection.

Re:That make anyone else nervous?

Plug an iDevice in, iTunes will always launch. Plug in a set of earbuds that have a "play" button on them, and that Play button will always launch iTunes. Plug in a camera or connect anything OS X considers camera storage (basically anything that's FAT with DSIM on it) and that will always launch Photos.

There is no way to permanently change this behavior

Unless you uncheck the "Always open when connected" box in iTunes and Photos. Of course, you'd have to not be retarded first, so good luck with that.

Finally

[danbob999]

I'm glad they finally got rid of iTunes... oh wait...

Re:That make anyone else nervous?

Unless you uncheck the "Always open when connected" box in iTunes and Photos. Of course, you'd have to not be retarded first, so good luck with that.

Yeah, that checkbox doesn't exist. Nice try.

There's absolutely no way to disable them, permanently, from ever launching. It cannot be done. Believe me, I've looked.

Re:That make anyone else nervous?

[kevmeister]

This capability is not one Apple came up with. It has long been a capability of FreeBSD and probably other BSD systems. It can be overridden if you know what you are doing, but it is an added safety belt to save you from yourself.

Re: That make anyone else nervous?

You can definitely turn off all that auto-launch-on-iDevice-plugin stuff.