Ransomware is a dangerous type of malware threat that affects plenty of Windows users. This kind of software encrypts certain files belonging to the user and then demands a fee for the unlock key. While Mac users have long been safe from such threats, the first such threat attacking OS X computers has been detected. Fortunately, it has already been dealt with.
Researchers from Palo Alto Networks discovered the program masquerading as the installer of Transmission 2.90, an open-source BitTorrent client that was updated last week. Somehow, attackers managed to penetrate the security of Transmission and replaced the original files with DMG archive files containing the KeRanger threat, which researchers call the first fully functional Mac ransomware program.
The app was signed with a valid Mac app development certificate, removed by Apple since the threat was discovered. Apple’s Gatekeeper protocol will now block the app on Macs, which might still be available for download on some sites.
Researchers determined that KeRanger connects with the command and control center three days after infection, using Tor to anonymize data. Palo Alto Network reported their findings to both Apple and Transmission on March 4th.
The malware then encrypts certain types of documents and data, asking for one Bitcoin (around $400) from the affected user, for the key to encryption.
The Transmission Project has updated its website since the security issue was found, releasing Transmission 2.92, a malware-free version of the app, which also claims to remove the malware from the computer, in case it’s still there.
Even so, KeRanger appears to be under active development, with the malware also attempting to encrypt Time Machine backup files so that victims can’t easily recover their back-ups.
Users who have downloaded Transmission 2.90 from the official site after 11:00 a.m. PST March 4th, 2016 and before 7:00 p.m. PST, March 5th, may be infected with KeRanger.
Here’s what you should do to find out whether the program is on your computer, according to Palo Alto Networks:
1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service”=. If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
The only thing you can do if the malware already executed on your computer and you don’t have recent backups of the critical data that may have been encrypted last week, is to pay the ransom. However, considering that Palo Alto Networks was quick to discover the malware and that Apple and Transmission issued fixes to mitigate exploits, most Mac users should be safe – read more about KeRanger at the source links.