{
	"id": "8fbca1ff-8db3-47bd-affc-0441debd4b9f",
	"created_at": "2026-04-06T01:31:46.094088Z",
	"updated_at": "2026-04-10T03:24:29.213725Z",
	"deleted_at": null,
	"sha1_hash": "3c6505d1b6cd8e1c359c46f2a0b84180d17a6143",
	"title": "Keranger: the first “in-the-wild” ransomware for Macs. But certainly not the last.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37868,
	"plain_text": "Keranger: the first “in-the-wild” ransomware for Macs. But\r\ncertainly not the last.\r\nBy Liviu Arsene\r\nPublished: 2017-10-25 · Archived: 2026-04-06 01:23:53 UTC\r\nRansomware has been one of the most lucrative threats for cybercriminals. With the FBI estimating financial\r\nlosses were up $1 billion dollars in 2017 alone, by the end of 2018 it’s reasonable to speculate that those numbers\r\nwill be significantly higher.\r\nAlthough most ransomware targets systems running Windows, Mac ransomware became a reality when Brazilian\r\nresearchers posted a proof-of-concept (dubbed Mabouia) in early 2015. Whether by coincidence or design, the\r\nfirst truly damaging ransomware sample for Macs emerged about a month later, delivered using a tampered\r\nversion of a popular file-sharing application known as Transmission.\r\nThe Keranger Mac Ransomware\r\nDubbed Keranger, the Mac ransomware had the same ability as its Windows counterpart, meaning once loaded it\r\ncould encrypt locally stored files, documents, and even Time Machine backups while demanding a bitcoin\r\npayment for the decryption key.\r\nAlthough Macs have a built-in system that prevents installation of unauthorized or un-signed applications from\r\nthird-party marketplaces, the Keranger ransomware was bundled inside Transmission – a torrent application –\r\nafter attackers managed to breach the official Transmission website and replace the legitimate .dmg file with a\r\ntampered version.\r\nInterestingly, to dodge GateKeeper’s app validation mechanism, attackers signed the tampered Transmission app\r\nwith a valid Apple developer certificate, making it seem legitimate. Unsuspecting users who visited the official\r\nwebsite and installed the application while it was live became the first-ever Mac ransomware victims.\r\nMore Evidence of Mac Ransomware\r\nWhile Keranger was the first “in-the-wild” and documented ransomware outbreak for Macs, it was not the last, by\r\nfar. Security researchers have identified a ransomware-as-a-service that enabled interested “customers” to\r\npurchase Mac-hostile ransomware in exchange for up-front payments or shared revenue from infected victims.\r\nWhile ransomware-as-a-service is not uncommon for Windows-based systems, its emergence for Macs suggests\r\nan increased interest from “customers” to start buying ransomware kits that can be deployed on Mac OS.\r\nA great example that further bolsters the case of Mac ransomware-as-a-service: the Keranger’s source code is\r\npublicly available to anyone interested in writing their own variant of Mac ransomware—and its developer only\r\nasks for 30% of what the “customer” gets from paying victims.\r\nhttps://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html\r\nPage 1 of 2\n\nStaying away from both ransomware and any other type of Mac threat is a simple matter of installing a Mac\r\nsecurity solution that can accurately identify potentially malicious applications or threats. This type of security\r\nsolution also keeps Mac users safe from phishing, fraudulent, or malware-serving websites that might trick users\r\ninto installing or revealing sensitive data.\r\nSource: https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html\r\nhttps://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html"
	],
	"report_names": [
		"keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439106,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3c6505d1b6cd8e1c359c46f2a0b84180d17a6143.pdf",
		"text": "https://archive.orkl.eu/3c6505d1b6cd8e1c359c46f2a0b84180d17a6143.txt",
		"img": "https://archive.orkl.eu/3c6505d1b6cd8e1c359c46f2a0b84180d17a6143.jpg"
	}
}