KeRanger is the first example of fully functional Mac OS X ransomware and first Mac OS X malware distributed with a signed software update from a legitimate developer, but it was not first written on Mac OS X. According to Bitdefender Labs, it is a ported version of the Linux.Encoder ransomware. This makes it the first cross-platform ransomware.
Linux.Encoder is in its fourth version and has some success infecting Linux servers, but is still vulnerable to key recovery, according to a blog on it by Bitdefender Labs in January. "Key recovery" means that Bitdefender can find the decryption key without the victim paying the ransom.
KeRanger, a trojaned Transmission Bittorrent client update, "looks virtually identical" to the current Linux.Encoder version, says the Bitdefender Labs blog entry. The blog quotes Catalin Cosoi, Chief Security Strategist at Bitdefender saying "[t]he encryption functions are identical and have the same names: encrypt_file, recursive_task, currentTimestamp and createDaemon to only mention a few. The encryption routine is identical to the one employed in Linux.Encoder."
One main adaptation the KeRanger authors made to the Mac version was to sign the malware with a legitimate code signing key, issued by Apple for the Mac App Store. These keys are whitelisted by the Mac Gatekeeper service. The key used for KeRanger is listed as belonging to a Turkish company and is not the same one as was previously used by the Transmission program.
Bitdefender warns that this could be the sign of things to come for malware for non-Windows systems. So far attempts at Mac malware have not persevered, probably because the perpetrators did not consider the money they made worth the work. The only other known type of OS X ransomware in the wild is FileCoder, discovered in 2014, but it was incomplete at the time it was discovered.