First Mac ransomware had sights on encrypting backups, too

Hackers never finished the feature, but evidence suggests they wanted to guarantee Mac owners paid the $400 ransom

ransom ware
Credit: Shutterstock

The first known working ransomware aimed at Macs contained hints that the cybercriminals were working on a way to encrypt backups in an attempt to force payment, security researchers said today.

Dubbed "KeRanger" by Palo Alto Networks, whose researchers discovered the malware on Friday, the attack code included a non-working "stub" function labeled "_encrypt_timemachine."

"We believe that they had plans to finish [the function] at some point," said Ryan Olson, director of threat intelligence, Unit 42, Palo Alto's name for its research lab. "But they went live a little earlier than they expected."

Palo Alto Networks' researchers Claud Xiao and Jin Chen identified KeRanger early Friday, just hours after it reached the wild, and finished their analysis Saturday. On Friday afternoon, they reached out to Apple to alert the Cupertino, Calif. company of their findings. By Sunday, Apple had revoked the digital certificate used to sign the malware, and Transmission, the company whose free Mac BitTorrent client had been used to distribute the attack code, had removed the tainted version and issued an update to scrub the ransomware.

Because KeRanger contained a three-day, hard-coded delay before executing, the quick work by Palo Alto, Apple and Transmission meant that few if any Mac users had their files locked up, and so did not have to hope they had backups or the $400 to pay the extortionists.

But the criminals were more ambitious than most: They planned to create code that would have encrypted not only more than 300 file types stored on a Mac's internal hard drive, but also on any Time Machine backups.

Time Machine is the backup software baked into OS X. Although Time Machine works with any external drive, Apple sells its own Time Capsule backup devices. Because Time Machine is essentially fire-and-forget once enabled, it's a very popular choice for Mac owners for backing up the contents of their desktop and notebook computers' storage drives.

Ransomware is a very profitable criminal activity, said Thomas Reed, director of Mac offerings at Malwarebytes. "It's the biggest money maker," Reed asserted, of the many ways criminals try to monetize their malware.

The category has victimized computer owners for more than a decade, and while it has, like all malware, changed since it debuted, ransomware has some basic properties: If a machine is infected, the code encrypts all or parts of a drive -- typically by selecting the most valuable file types, like Microsoft Word or Excel documents -- then displays a message demanding payment for the key that will decrypt the data. Increasingly, that payment is in the form of Bitcoin, the digital currency.

KeRanger wanted one Bitcoin, or approximately $412 at Monday's exchange rate.

One way to avoid paying such extortionists is by restoring the system using recent backups.

Ransomware writers now typically disable Windows' "System Restore" feature, which regularly takes snapshots of the PC, then lets the user return to that milestone, said Olson. It's less common for ransomware to explicitly target backups on Windows, however, perhaps because the operating system's integrated Backup functionality is little used and scores of alternatives vie for market share.

"Some Windows ransomware will encrypt backups as well as the main drive," said Reed, although he acknowledged the practice was not widespread.

Reed, who authors Malwarebytes Lab's official blog,, pointed out that Time Machine backups are "infamously fragile," and it's possible that had the hackers implemented an encrypt-all-external-backups feature in KeRanger, users would have found their backups trashed, not just locked up. In that case, paying the ransom wouldn't have done any good, at least for the backups.

"As long as you're respectful of it, and using Time Machine to do restoration, you're good," said Reed. "But if you go messing with Time Machine backups with another app, you can break the whole thing, so you can't restore at all."

While there may not be much that Apple could do to prevent Time Machine backups from being encrypted by hackers -- Reed said that KeRanger would have spotted any drive "mounted" to the Mac, a task that Time Machine does in the background when it initiates a scheduled backup -- Mac users can recover a ransomware-locked system if they have multiple backups, both Olson and Reed said.

"Ideally, you should have multiple backup systems, with only one connected to your computer at one time," said Reed. "Redundancy is good."

Storing one backup offsite is also a good idea, added Olson, a tip that ensures data survivability in case of natural disaster, theft or fire.

This story, "First Mac ransomware had sights on encrypting backups, too" was originally published by Computerworld.

ITWorld DealPost: The best in tech deals and discounts.