Emerging Threats

First Mac ransomware targets Apple users

Authored by a Symantec employee


Between March 4th and 5th, 2016, Apple customers were the targets of the first Mac-focused ransomware campaign executed by cybercriminals. There have been previous reports of what is called “proof of concept,” which means that researchers have found a way to execute malware on a Mac, however, in these instances, it was not cybercriminals abusing the malware. In this instance, it is the first time that cybercriminals are using this malware to execute real life attacks.

What is Ransomware?

Ransomware is far more advanced and aggressive than ordinary malware. Ransomware will encrypt the data on your hard drive, essentially locking you out of it unless you have the key to unlock the encryption. Ransomware generally presents users with an ultimatum: pay a fee to unlock and reclaim personal data, or don’t pay the fee and lose the data indefinitely. The cybercriminals will then hold personal and professional data ‘ransom’ unless demands for payment are met within a specific period of time.

In the event that the fee is not paid, ransomware can also automatically corrupt and delete the locked files, leaving most users with little time to resolve the problem through alternate means.

How is it transmitted?

In this particular case, users were downloading a program called “Transmission for BitTorrent,” which is used for peer-to-peer file sharing using BitTorrent files. BitTorrent is usually used to illegally download media files such as movies, music, and television shows. These users downloaded a “bad” version of the installer for the software, which contained a malicious Trojan horse, known as OSX.Keranger. A Trojan horse is malicious software that can wreak havoc with data in many ways, such as deletion, ransomware, modification, copying, and stealing. Like most ransomware, OSX.Keranger will encrypt a user’s files and demand a fee (in this case, one Bitcoin, or ~$400) to release the files.

Unfortunately, once a person is infected with ransomware, it’s probably already too late to save your files, as there is no guarantee that you’ll be able to retrieve your files. We recommend that you don’t pay the ransom—why fund the criminals so that they can do the same thing to someone else?

What should I do to prevent ransomware?

If you aren’t already infected, keep ransomware crime at bay by backing up your files regularly. This is one of the most important steps you can take in defending yourself against ransomware. If the cybercriminals try to encrypt your files, you’ll still have a copy, and you won’t have to feel torn between paying a ransom and possibly seeing your precious photos and documents again.

If you don’t have security software on your Mac, it’s important to think about getting protected to avoid getting hit hard by cybercriminals. Early on, Apple’s Mac OS X was a tough system for hackers to crack, and when it wasn’t a very popular platform, it just wasn’t worth it for cybercriminals, especially when there were other platforms that people were using that were easier to get into. As Apple has become more and more popular around the world, cybercriminals have found more of a reason to target these machines. We’ve seen malicious websites targeting Mac computers. Symantec security researchers have been seeing more Apple malware prototypes created, as well as the increased discovery of vulnerabilities in the operating system, over recent years. The threat landscape is a rapidly changing one, and, with more hackers targeting the platform, Apple users should be making sure that their systems have robust security software.

What does Norton do to prevent ransomware?

Norton Security Premium with Backup offers up a host of features to help protect you against ransomware:

  • Backup protection- Norton can help you get on track with regularly scheduled backups, and 25 GB of secure cloud backup space, which provides additional protection against ransomware by securing your data safely.
  • Malware Detection- Norton not only protects your precious data, it can also stop these threats (including this one) from getting onto your computer in the first place.

Tips to stay protected against ransomware:

  • Back up your files regularly! If you already have your files, the criminals have no leverage, because you have an uninfected copy of all of your data safely hidden away.
  • Update your security software. Norton updates its protections as soon as new threats are discovered, so you’ll stay secure.
  • Keep all of your software up-to-date. Software updates regularly include patches to fix security holes that criminals might have used to get into your system. This is also a vital step in protecting yourself against ransomware. By updating all software programs on your device as soon as updates become available, you’re actually patching vulnerabilities, or “holes” in the software that malware can sneak through.
  • Trash any suspicious-looking emails, especially if they contain links or attachments.
  • Be on the alert for any Microsoft Office email attachment that tells you to enable macros to be able to view the content. Unless you know and trust the source of the email, just delete it.

For more information on what to do about ransomware, see these helpful posts:

Ransomware: 5 Do’s and Don’ts
Ransomware: When Cybercriminals Hold Your Computer Hostage

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome and Android are trademarks of Google, LLC. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced and/or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other company names and product names are registered trademarks or trademarks of each company.