Apple Has Shut Down the First Fully-Functional Mac OS X Ransomware

An anonymous reader writes: Apple has shut down what appears to have been the first, fully-functional ransomware targeting Mac computers. This particular form of cyber threat involves malware that encrypts the data on your personal computer so you can no longer access it. Afterwards, the hackers request that you pay them in a hard-to-trace digital currency — in this case, bitcoin — in order for you to retrieve your files. This ransomware, called KeRanger, was first reported by researchers at Palo Alto Networks. They also noted that Apple has now revoked the abused certificate that was used in the attack and updated its built-in anti-malware system XProtect with a new signature to protect customers.

Re:So who decrypts your files for you?

[__aaclcg7560]

You wipe your hard drive and restore from a backup.

Re: So who decrypts your files for you?

[rworne]

This bit of malware is reported to look for and encrypt/corrupt any Time Machine backups.

Re:That make anyone else nervous?

[Aaden42]

The difference is that all of the XProtect & related functionality can be disabled. It’s not easy to disable it (easy in the sense you’d stumble on it accidentally), and your average parent / grandparent user of Mac OS would never figure out how to disable it. Which is good, because they have no clue of the implications of doing so.

If as a trained and knowledgable IT professional, you want to run completely unprotected, you set some kernel flags in your EFI, and reboot. Execute whatever you like, overwrite anything on the drive as root, no questions asked. That’s probably not a great idea as the vast majority of the time those features protect even seasoned (or is that salty) professionals from shooting themselves in the foot. But if you really want to run something Apple has determined to be dangerous, you can still do it.

My opinion of Apple would fall sharply if they ever removed the disable options on their desktop OS. So long as that option is there, having it default to ON is the right option for the vast majority of users.

Re:so much for the walled garden

[Noah+Haders]

Take a look at System Integrity Protection in the newest version of OS X. it doesn't limit an app to its app corner, but it definitely limits it to userspace. A description from Ars (full page here:

System Integrity Protection does this by severing the automatic kernel-level blessing given to root’s commands. The end result is that in El Cap, root is no longer an account with effectively unlimited access to either the file system or to memory and running processes. SIP places kernel-level checks on root’s privilege that can (in theory, at least, until proven otherwise by an intrepid security researcher) only be bypassed by the kernel itself. SIP’s intention is to keep the operating system’s state—both on disk and in memory at runtime—as it was installed by Apple.

This is a pretty big change from how Unix-like operating systems are "supposed" to work, though it’s not without precedent (Ars IT Editor Sean Gallagher told us that SIP sounds a bit like Trusted Solaris, and this Quora thread has some details on the history of similar "rootless" privilege escalation schemes). Rather than adding yet another superuser account, SIP provides the concept of an additional file system and process flag, and file system objects and in-memory processes so flagged cannot be altered by processes not signed with Apple’s own code signing key.

There’s more, too—the file system protections are only the start. SIP consists of four major features:

        Protected locations cannot be written to by root.
        Protected system processes cannot be attached to with a debugger and cannot be subject to code injection.
        All kernel extensions must now be signed (and old methods for disabling kernel extension signing are gone).
        SIP cannot be disabled from within the operating system, only from the OS X Recovery partition.

Re:how did Apple shut them down

[UnknowingFool]

The cert used has been revoked. Without a working cert, no one can install the app so no new infections. Currently infected customers are another matter.

Re: So who decrypts your files for you?

[spire3661]

Its not a backup if its write-accessible to the originating machine. Backups are stored OFFLINE or at least employ a physical/logical gap. Time Machine is more of a hot spare than a backup in this context.

Mac OS X does *not* have a walled garden

[perpenso]

Mac OS X does *not* have a walled garden. A user is free to install any app downloaded from the internet. Mac OS X will warn them and ask if they really want to do this and then proceed as the user says.

Ransomware canary

[GlobalEcho]

I wonder how useful it would be to keep a "Ransomware canary" around. I'm thinking of, say, a Word .doc file on a network drive. A process on some separate computer then checks its entropy every few minutes to make sure it has not grown huge.

The idea fails for local files because (as I recall) the more sophisticated ransomware inserts itself as a filesystem driver.

Re:That make anyone else nervous?

[MachineShedFred]

XProtect does one other thing that is very welcome in most circumstances as well - expiring old versions of browser plug-ins like Java and Flash, which are known to have massive gaping security holes in them.

And, again, if this gets in the way of a proper administrator who is saddled with some ancient piece of shit that requires some ancient plug-in, it can be disabled on a per-plug-in level

Re: So who decrypts your files for you?

[barc0001]

Yes, I'm sure most home Apple users take weekly backups and drop them in their safety deposit boxes. Just like they constantly update their virus scanners.

Or they do neither of those things because Apple's marketing drum that's been beating for the last decade has been "you can't get malware and just use Time Machine to be perfectly safe!"

I'm not saying Apple is completely at fault, but they did go out of their way to make it sound like they take care of everything.

Re: So who decrypts your files for you?

[sociocapitalist]

It tries but fails. Time Machine Backups are are read-only to everyone except the backupd process (which runs as root). The malware doesn't run as admin.

Depends on how long the encryption is happening before you realize it vs. how much space you have on your time machine before older backups get erased and encrypted files are stored instead.