Admit it Apple fans, Macs are no more secure than the rest of them

Apple MacBook Retina 12in review

Why are Mac users still in denial that their platform of choice is as insecure as the next? That's the question that needs to be answered following the, admittedly rather lame, discovery of the first ransomware to target the OS X platform.

Let's get this straight, KeRanger (discovered by Palo Alto Networks) has been somewhat over-hyped by a media hungry to run with a 'Mac is insecure, told you so' story. The truth of the matter is that only around 6,500 downloads of the infected files are thought to have been distributed.

But KeyRanger does serve as a reminder that you don't get a free pass from threats when you buy into the Mac ecosystem. Let's not forget that KeRanger was a fully functioning piece of ransomware, albeit a pretty crappy one.

It came as part of a compromised BitTorrent client installer (Transmission) for OS X and certainly had the ability to encrypt user files then issue a $200 ransom demand for the decryption key. Unfortunately, it was based upon a Linux ransomware variant that was already known to be flawed, called Linux.Encoder.

That KeRanger waited for three days before contacting the Command & Control servers over the Tor network to initiate encryption, presumably in an attempt to bypass behavioural security checks, was one shot in the foot. Apple revoked the compromised binary signing certificate within this timeframe, so the OS X Gatekeeper protection would have kicked in and prevented the .dmg file from opening.

Another was that anyone who was unfortunate enough to get infected and have their files encrypted could use their Time Machine backups. KeRanger was meant to encrypt these files as well, but the code was broken and so this didn't happen.

However, that KeRanger exists is the point that should be of concern to Mac users, because it demonstrates what everybody in the IT security industry already knows: Macs cannot escape the attention of the bad guys forever.

As Tim Erlin, director of security at Tripwire, says, "it may have taken a little longer for ransomware to come to the Mac, but that shouldn't be interpreted in terms of relatively security, but in terms of target density".

In other words, the larger the Mac user base gets, the more attractive a target it becomes for the criminal fraternity. Especially given that Mac users, and forgive me for the sweeping generalisation, have tendency to be less security savvy than Windows users these days. Maybe this is because Windows users have been forced to accept that security is a problem and so it is slowly becoming harder for them to be fooled into taking hackers' bait. At some point the bad guys are going to start looking for easier prey to fool, and that point is now.

That ransomware is the threat to bang this 'your Mac security is wack' message home is no surprise, it's been cyber criminals' attack of choice for a good couple of years now. The reason being that, in terms of returning a profit, it works. That it didn't in the case of KeRanger is more down to poor execution on the part of the perpetrator rather than any Mac cloak of invincibility, truth be told.

But there remains a reticence, a dogged and angry determination, on many online forums to deny any hint of insecurity about the Mac platform. This should be of concern to all. Cybercriminals follow a couple of rules when it comes to choosing targets: how easy is it to infect them and what's the return on investment going to be?

The former has not really been put to the test yet, but if you think of KeRanger as being an amateur probing the possibilities then it stands to reason the pros will do a lot better job of executing the threat. And if that does turn out to be the case, the answer to the ROI question is likely to come with plenty of zeroes on the end.

The bottom line is that Windows is no longer the only target. Android has been on the ransomware radar for a long time, and Linux servers joined the gang at the start of this year. That Mac users appear to put all their faith behind disallowing unsigned software, which KeRanger has proved can be bypassed, is a dangerous defensive posture.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.