How the cloud helped uncover first Mac ransomware

Palo Alto Networks takes to Wildfire to detect first Mac OS ransomware

Palo Alto Networks has revealed how it used the cloud to help discover the KeRanger OS X ransomware over the weekend.

Speaking to Virtual Clouds, Greg Day, EMEA CSO at Palo Alto Networks, said: "We are always looking for better and smarter ways to get quicker discovery of new attacks that we can then turn round into preventative controls."

"In this instance, from our perspective, we leveraged tools like WildFire, which is leveraging the cloud to do analysis and the cloud to do collaboration, that allows us to very quickly see new things like this and then turn round preventative measures much quicker for customers," he explained.

Wildfire is Palo Alto's own cloud-based sandbox for malware analytics and forms part of its "next generation" firewall technology. According to the company it can identify and block targeted and previously unknown malware by analysing it in a virtualised environment in the cloud, where its behaviours can be observed.

The service then automatically generates protections for these new malwares and pushes them out to all other WildFire customers, so they are all protected from these emerging threats.

KeRanger was discovered on Friday 4 March by Palo Alto's Unit 42 threat research team posing as a legitimate download of the Transmission BitTorrent client and sporting a valid Apple developer certificate.

It is thought that KeRanger is the first fully-functional Mac OS ransomware, encrypting files until users cough up $200, although it failed in its secondary mission to encrypt Time Machine backups.

You can read more about KeRanger on our sister site, IT Pro.

Sign up for our free newsletter