For years, urban legend held that Macs were immune to malware and viruses. Whether the extremely low rate of virus infections could be attributed to the platform’s genuine immunity or lack of hacker interest in assailing Apple computers when Windows systems offered such a large attack target, it’s simply not true: Macs are not immune, as demonstrated this past weekend by a ransomware program called KeRanger. On March 7, Apple Corporation informed nearly 7,000 Mac users that their machines had been infected through a tainted copy of Transmission, a popular program for transferring data through the BitTorrent peer-to-peer file sharing network.
Ryan Olson, Palo Alto Threat Intelligence Director, told Reuters that, “This is the first one (ransomware infection) in the wild that is definitely functional, encrypts your files and seeks a ransom.” While Kaspersky Lab discovered another ransomware attack for OS X in 2014, the program, called FileCoder, was “incomplete at the time of its discovery” making KeRanger the first fully functional ransomware for Mac.
Once installed on the host machine, KeRanger remains dormant for three days, then encrypts all files on the device and demands a ransom. Additionally, KeRanger attempts to encrypt files created by the Time Machine application to prevent data recovery.
A new and growing Mac footprint
Mac use is no longer limited exclusively to workers in creative vocations. End users in a variety of occupations prefer Mac laptops and mobile devices; as a result, organizations are moving end users to the Mac platform. According to the JAMF 2015 Survey: Managing Apple Devices in the Enterprise, 96 percent of enterprises support Mac laptops and desktops, 84 percent support iPhones and 81 percent support iPads. In fact, IBM deployed 130,000 Macs over the past year and reported a savings of $270 per Mac user. IBM attributes the savings to better usability of the Mac and, in turn, a reduction in IT support. A bigger Mac footprint in the enterprise has threat actors paying attention—as this new Mac-cracking ransomware strain suggests.
Ransomware remediated, but not terminated
Apple has revoked the digital certificate of the Apple developer that inadvertently installed KeRanger and the Mac user community has most certainly breathed a sigh of relief. But that sense of relief is premature.
As the number of Macs in the enterprise increases, the number of malware infections is also likely to increase. Formerly ignored, Macs represent a lucrative new market for ransomware exploits. The issue is compounded by the fact that many Mac users believe their devices are immune to malware or that hackers are not interested in targeting the small Mac segment in a sea of Windows devices. In 2014, security firm Symantec Corp reported some 8.8 million attacks on Windows devices in 2014 alone. Today marks a new chapter as Mac users find their operating systems also in the crosshairs of threat actors.
While the KeRanger infection was relatively small and quickly remediated, Mac users can count on future ransomware attacks targeting Apple’s devices. With KeRanger still actively being developed and the growing adoption of Mac devices in the enterprise, enterprise IT must find backup solutions that work across platforms, affording Macs the same protection as Windows devices. With continuous endpoint backup in place, end users will have the ability to recover files stored on endpoints—and the enterprise will never pay a ransom.
To learn more about how endpoint backup can protect the data on enterprise Macs, download the market brief Securing & Enabling the Mac-Empowered Enterprise.