Apple Has Shut Down the First Fully-Functional Mac OS X Ransomware

An anonymous reader writes: Apple has shut down what appears to have been the first, fully-functional ransomware targeting Mac computers. This particular form of cyber threat involves malware that encrypts the data on your personal computer so you can no longer access it. Afterwards, the hackers request that you pay them in a hard-to-trace digital currency — in this case, bitcoin — in order for you to retrieve your files. This ransomware, called KeRanger, was first reported by researchers at Palo Alto Networks. They also noted that Apple has now revoked the abused certificate that was used in the attack and updated its built-in anti-malware system XProtect with a new signature to protect customers.

Re:So who decrypts your files for you?

[__aaclcg7560]

You wipe your hard drive and restore from a backup.

Re:so much for the walled garden

[rsborg]

I thought certs where going to protect us from this mess. It is nice that Apple yanked this cert, but what is to stop another cert from being bought and used to do the same damn thing?

Nothing. However, what's good to know is that I no longer have to worry about this one - and the turnaround was pretty quick. Assuming Apple can keep up with any threats like this (it's not like they don't have enough money to justify it), it's just like doing a regular bit of weeding in your garden.

Re: So who decrypts your files for you?

[rworne]

This bit of malware is reported to look for and encrypt/corrupt any Time Machine backups.

Re:That make anyone else nervous?

[Aaden42]

The difference is that all of the XProtect & related functionality can be disabled. It’s not easy to disable it (easy in the sense you’d stumble on it accidentally), and your average parent / grandparent user of Mac OS would never figure out how to disable it. Which is good, because they have no clue of the implications of doing so.

If as a trained and knowledgable IT professional, you want to run completely unprotected, you set some kernel flags in your EFI, and reboot. Execute whatever you like, overwrite anything on the drive as root, no questions asked. That’s probably not a great idea as the vast majority of the time those features protect even seasoned (or is that salty) professionals from shooting themselves in the foot. But if you really want to run something Apple has determined to be dangerous, you can still do it.

My opinion of Apple would fall sharply if they ever removed the disable options on their desktop OS. So long as that option is there, having it default to ON is the right option for the vast majority of users.

Re: So who decrypts your files for you?

They'd make more money by patenting (and then actively trolling and/or comercializing) this revolutionary technology that can encrypt off-site backups.

Because your backups are off-site... right?

Re:so much for the walled garden

[Noah+Haders]

Take a look at System Integrity Protection in the newest version of OS X. it doesn't limit an app to its app corner, but it definitely limits it to userspace. A description from Ars (full page here:

System Integrity Protection does this by severing the automatic kernel-level blessing given to root’s commands. The end result is that in El Cap, root is no longer an account with effectively unlimited access to either the file system or to memory and running processes. SIP places kernel-level checks on root’s privilege that can (in theory, at least, until proven otherwise by an intrepid security researcher) only be bypassed by the kernel itself. SIP’s intention is to keep the operating system’s state—both on disk and in memory at runtime—as it was installed by Apple.

This is a pretty big change from how Unix-like operating systems are "supposed" to work, though it’s not without precedent (Ars IT Editor Sean Gallagher told us that SIP sounds a bit like Trusted Solaris, and this Quora thread has some details on the history of similar "rootless" privilege escalation schemes). Rather than adding yet another superuser account, SIP provides the concept of an additional file system and process flag, and file system objects and in-memory processes so flagged cannot be altered by processes not signed with Apple’s own code signing key.

There’s more, too—the file system protections are only the start. SIP consists of four major features:

        Protected locations cannot be written to by root.
        Protected system processes cannot be attached to with a debugger and cannot be subject to code injection.
        All kernel extensions must now be signed (and old methods for disabling kernel extension signing are gone).
        SIP cannot be disabled from within the operating system, only from the OS X Recovery partition.

How do you proceed if you've been infected?

[nyquil+superstar]

So if you've already been infected and locked, this seems like it would shut down any avenue of unlocking your files. Maybe there aren't already people actively locked, but this seems like it would be a problem. Anyone know any more?

Re:how did Apple shut them down

[UnknowingFool]

The cert used has been revoked. Without a working cert, no one can install the app so no new infections. Currently infected customers are another matter.

Apple should be sued

[Grishnakh]

Apple is depriving these software writers of their rightful revenue, and hopefully they'll be sued for it, and better yet a law passed banning this kind of practice. This is no different than ad-blocking and script-blocking software, which prevents upstanding advertisers from running JavaScript software on peoples' computers and rightfully earning revenue from it.

Re: So who decrypts your files for you?

[spire3661]

Its not a backup if its write-accessible to the originating machine. Backups are stored OFFLINE or at least employ a physical/logical gap. Time Machine is more of a hot spare than a backup in this context.

Mac OS X does *not* have a walled garden

[perpenso]

Mac OS X does *not* have a walled garden. A user is free to install any app downloaded from the internet. Mac OS X will warn them and ask if they really want to do this and then proceed as the user says.

Re:so much for the walled garden

[ComputerGeek01]

Microsoft should adopt the same model.but it would require a herculean effort to get their products up to the same standard of quality.

What, you mean authenticating applications based on a central certification authority? Kind of like what this does: https://msdn.microsoft.com/en-... . Or maybe you mean not allowing the installation of any applications that don't posses a preapproved certificate, in THAT case what you want is this feature over here: https://msdn.microsoft.com/en-... . God forbid you would have to learn how to manage your own certificate chains, afterall the documentation is so difficult to find: https://msdn.microsoft.com/en-... . The only thing missing is the paywall, which isn't really missing since you can pay for a third party authority to verify your certificate. But as we can see by the premise of this article that isn't actually a deterrent is it?

The difference between Microsoft and Apple is the same as it has always been. Apple forces you to follow their policies, Microsoft forces you to live with the consequences of the policies you wrote yourself.

Re: So who decrypts your files for you?

[Wycliffe]

Right, because our collective mothers and grandmothers are are thinking of, not to speak of capable of, doing anything other than what's already built in.

I think there are plenty of apps that are user friendly enough for semi-literate computer years (grandmothers or otherwise). The big problem I see holding back offsite backups is the stingy upload speeds. The FASTED upload speed I can currently get is 512k and it takes multiple calls to tech support to even find out what your upload speed it. The upload speed also barely changes, if at all, whether you go with the 1M package or the 10M package. Even if they just opened up the upload speed at night, this would help the average user have access to better online backups.

Ransomware canary

[GlobalEcho]

I wonder how useful it would be to keep a "Ransomware canary" around. I'm thinking of, say, a Word .doc file on a network drive. A process on some separate computer then checks its entropy every few minutes to make sure it has not grown huge.

The idea fails for local files because (as I recall) the more sophisticated ransomware inserts itself as a filesystem driver.

Re: So who decrypts your files for you?

[romanval]

It tries but fails. Time Machine Backups are are read-only to everyone except the backupd process (which runs as root). The malware doesn't run as admin.

Re:That make anyone else nervous?

[MachineShedFred]

XProtect does one other thing that is very welcome in most circumstances as well - expiring old versions of browser plug-ins like Java and Flash, which are known to have massive gaping security holes in them.

And, again, if this gets in the way of a proper administrator who is saddled with some ancient piece of shit that requires some ancient plug-in, it can be disabled on a per-plug-in level

Precisely why I jumped ship from Windows to Mac

[AnalogDiehard]

Microsoft bows to Hollywood and the Feds while dragging its heels while users suffer from malware.

Apple tells the Feds to take a hike and focuses its resource to kill a nasty ransomware within a day.

Go Apple!

Re: So who decrypts your files for you?

[BlackPignouf]

No need to do anything to corrupt Time Machine backups.
Those weird non-standard Time Machine directory hard links do a great job of messing backups already.

Re: So who decrypts your files for you?

[sociocapitalist]

It tries but fails. Time Machine Backups are are read-only to everyone except the backupd process (which runs as root). The malware doesn't run as admin.

Depends on how long the encryption is happening before you realize it vs. how much space you have on your time machine before older backups get erased and encrypted files are stored instead.