— What You Need to Know About Mac ransomware —
Executive Summary: Mac ransomware is here, and you need to protect your Mac.
Mac “ransomware” is in the news lately, and many people have been asking me, “Is this real?” Sorry to say, “Yes, it’s real.” Here’s what you need to know to protect yourself and your Mac.
First, you need to know what ransomware is. Ransomware is software that locks your device (a smart phone, or a computer) and puts a ransom note on the screen, telling you where to send money to regain control of your machine. (This has been going on with Windows machines for some time. Incredible.) Naturally the software is typically disguised as something else— people are not likely to click on something called “Lock Yourself Out of Your Computer.” So, the bad guys hide the bad software inside some other program that they think you might be interested in. Payment is made through a means that is difficult to trace: in the most recent case, via bitcoin. The special thing about the latest ransomware is that it runs on Macs. This is a first-time thing, and a bad sign of things to come.
Second, you need to know that Apple tries very hard to protect you and your Mac. Apple’s Gatekeeper feature (introduced in OS X Lion 10.7.5) is part of Apple’s effort. (The other part is an updated list of malware threats. Items on the list cannot run.) Gatekeeper can prevent malicious apps from being installed, and can also prevent them from running. Apple issues a “Developer ID” to app developers which they use to “sign” their apps, and if an app isn’t signed, Apple can block it from running or even being installed. The implication is, if an app is signed by a Developer ID, it’s a good app, because you can’t get a Developer ID without going to Apple to get it. In the current case, the bad guys signed the ransome-ware app with a valid Developer ID (we don’t know yet how they go it) so the app looked perfectly safe and good. Which means that Apple’s built-in Gatekeeper feature wouldn’t (and didn’t) stop the app from being installed and being run. Still, it’s nice to know you’re not in this alone.
Third, you need to know that— as of this writing— the only infected app is version 2.90 of “Transmission.” If you haven’t downloaded Transmission, your Mac is not under attack (at least not yet, but don’t get complacent). If you have downloaded Transmission, and the version you got is 2.90, immediately go to TransmissionBT.com and download version 2.92. That version is clean, and it will remove the threat installed with 2.90. Remember though– ransome-ware on the Mac is possible, and from now on you have to be on your toes. I would not be surprised to see a fake Flash installer delivering ransome-ware down the road.
Fourth, you need to know that the Mac community takes these kinds of threats very seriously. As soon as new threats are located, the words gets out and fixes are put in place. In this case, the legitimate developers of Transmission contacted Apple as soon as they realized what had happened, and Apple immediately revoked the Developer ID used to sign the ransome-ware. Mac security software companies like Intego have updated their systems to prevent this particular attack from succeeding, and the infected version of Transmission is no longer available for download. Unfortunately, in this case the bad guys got clever and set a 3-day delay before a Mac becomes locked, so people who inadvertently ran the infected program will not see any signs of trouble until today or tomorrow. Once the system is locked, those people are out of luck.
(The current ransome-ware attack works by encrypting the files on a Mac’s hard disk. It doesn’t encrypt everything but it does encrypt a lot. Without the encryption key, you can’t unlock (or open) your files. If you pay for the key— and it will cost you one Bitcoin, or about $400 at current exchange rates— you’ll get access to your files again. I wouldn’t bet against the bad guys encrypting things again somehow, even if you’ve paid.)
Here’s what you can do to help keep your Mac safe.
- Be careful. Avoid downloading things that look shady— for example, apps or plug-ins that let you watch all of the Academy Award nominee films for free. The bad guys play on greed.
- Use an anti-virus/security application and keep it up to date, to help fight future attacks. I recommend Intego Mac Internet Security X9. Click to see my article about Internet Security X9.
- Look at your Mac’s security settings (Apple menu/System Preferences/Security & Privacy/General) and choose “Allow apps downloaded from Mac App Store and identified developers” (this would not have helped in this ransome-ware case because they posed as identified developers, but in general it’s a good idea).
- Stay informed. You can read about Apple’s Gatekeeper system here. You can read about this particular ransome-ware here. And you can email me here.