Ransomware comes to the Mac: There’s good news, bad news

New research suggests that a strain of ransomware which affected Mac computers this month may have been less threatening than it initially appeared. Yet the discovery points to future threats on a platform previously thought to be safer than Windows.

The attack, detected March 4, was limited to roughly 6,500 laptops and desktops whose users downloaded an update to Transmission, a file-sharing application.

Ransomware is a particular kind of malicious software that encrypts files, rendering them unreadable until the victim pays off a criminal, who provides a key to decrypt the files — usually for between $200 and $10,000, according to the FBI.

Fully functional ransomware had never affected OS X, the operating system Macs run on. Researchers at Palo Alto Networks, who first detected it, dubbed the ransomware KeRanger.

Ransomware can make its way onto people’s machines through downloads — which KeRanger used — as well as phishing emails and infected banner ads on websites.

According to Romanian antivirus software company BitDefender, which analyzed KeRanger’s code, the ransomware is rooted in Linux.Encoder, targeting machines running Linux. (Mac OS X and Linux share many similarities, because they’re both derived from software meant to emulate the Unix operating system.) As a result, there are few differences between the two strains, said Bogdan Botezatu, a senior e-threat analyst at the firm.

The most noticeable difference is the way KeRanger targets Mac OS X’s Time Machine backups. That eliminates one way to recover from an attack, because otherwise victims could simply wipe an infected computer clean and restore data from a recent backup. (Linux systems do not have a single, preinstalled backup system like Mac OSX, which makes it harder for malware coders to target backup files in a consistent way.)

Yet the software behind both Linux.Encoder and KeRanger has a basic flaw which makes it easy for experts to defeat the malware’s encryption and restore files. The key used to encode and decode a victim’s files is derived from a timestamp, or the exact moment that those files were maliciously encrypted, said Botezatu.

That’s the good news. The bad news is that the next developer of ransomware may not make the same mistake. And KeRanger does have one novel feature worth watching.

Apple’s Mac OS X doesn’t allow anyone to write software for desktops and laptops. The Cupertino company issues digital certificates to developers so they can sign their software, showing it’s from an approved party.

KeRanger, though, was signed with a valid Mac app development certificate, said researchers at Palo Alto Networks — albeit not one used with previous versions of the Transmission software that carried it to users’ computers.

Apple has since revoked the certificate KeRanger’s creators were using, according to reports.

Ransomware has become an increasingly thorny problem for companies and individual users alike.

Last month, for instance, Hollywood Presbyterian Hospital administrators paid hackers roughly $17,000 in bitcoin to gain back control of their network. Other hospitals have also been hit by digital ransomers.

Because it attacks users’ data, ransomware is particularly hard to deal with. The FBI has advised victims who have not backed up their data to just pay out the ransom.

Sean Sposito is a San Francisco Chronicle staff writer. Email: ssposito@sfchronicle.com Twitter: @seansposito