Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 11764 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

First real OS X ransomware

brvx

researchcenter.paloaltonetworks.com/.../

Developer certificate revoked for this one, and now supposedly cataloged in XProtect (however, my latest 10.8 XProtect is still showing 2/10 for last update--maybe doesn't affect 10.8?), but no reason to think it will stop with Transmission or other torrent clients. Will most likely move on to other kinds of downloads,/programs, not just torrent clients. $99 for Apple code signing certificate from Apple is cheap. The cost of doing business-- a trifle compared to the haul they can make in a few days before the certificate is revoked. As soon as one is revoked, they will just get another.


At the moment, can't gain persistence, but expect that won't last long. And probably won't take long before anyone can buy this as a kit.

Will Sophos stay on top of this, now and through the inevitable variations, and protect?



This thread was automatically locked due to age.
Parents
  • 0

    We published detection for the known variants of the DMG as well as the binary Mon, 07 Mar 2016 12:19:11 +0000 as part of the IDE "tesla-cj.ide". Its our intention to stay on top of the current variant as well as future variants and publish updates as rapidly as possible. The automatic updating mechanism works pretty well, in this regard.

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • 0 in reply to bobcook

    It was reported in the wild on 3/4 and your first definitions were created on 3/7.  So, users weren't protected from this for 3 days?

  • 0 in reply to FerdieMazon

    Please keep in mind the timeline of disclosure to friendly security companies only happened on March 6th despite the fact that Apple and the original software vendor for Transmission received notification on March 4th.

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • 0 in reply to bobcook

    Understood.  That's unfortunate.

    What about the other 6500 downloads?  None of them were Sophos-protected hosts?  I'm guessing that's a small sample and may not have produced a hit.

  • 0 in reply to FerdieMazon

    Just did a quick run of the threat report analytics. To date, we have seen 47 unique Mac endpoints detecting OSX/KeRanger-A. Not a lot, really, and we strongly suspect those 47 are people testing whether we detect it or not.

    And to be really honest, no I have no idea who those endpoints are or even what country they live in. This type of data is heavily anonymized for obvious reasons.

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

Reply
  • 0 in reply to FerdieMazon

    Just did a quick run of the threat report analytics. To date, we have seen 47 unique Mac endpoints detecting OSX/KeRanger-A. Not a lot, really, and we strongly suspect those 47 are people testing whether we detect it or not.

    And to be really honest, no I have no idea who those endpoints are or even what country they live in. This type of data is heavily anonymized for obvious reasons.

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

Children
No Data
Unfiltered HTML