This article is more than 1 year old
First working Apple Mac ransomware infects Transmission BitTorrent app downloads
If you installed 2.90, you've got a few hours to get rid of it
The first "fully functional" ransomware targeting OS X has landed on Macs – after somehow smuggling itself into downloads of the popular Transmission BitTorrent client.
Transmission's developers have warned in a notice splashed in red on the app's website that if you fetched and installed an afflicted copy of the software just before the weekend, you must upgrade to a clean version.
Specifically, downloads of version 2.90 were infected with ransomware that will encrypt your files using AES and an open-source crypto library, and demand a payment to unscramble the documents.
Transmission has millions of active users. It is possible the app's website servers were compromised, and the downloads tampered with to include the KeRanger nasty.
Those who have had files encrypted will be asked by the malware to cough up US$400 in Bitcoins, paid to a website hidden in the Tor network, to get their files back.
"Everyone running [version] 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file," the Transmission authors posted on Sunday.
Palo Alto Networks researchers Claud Xiao and Jin Chen found the KeRanger ransomware hidden in the BitTorrent software on Friday, and warned the Transmission team of the infection.
The pair and a group of seven others from Palo Alto Networks detected the infiltration hours after miscreants somehow injected the malware into the downloads. They noted that KeRanger is programmed to encrypt victims' files three days after the infected Transmission client is installed.
The website warning
Mac fans who installed Transmission for OS X 2.90 from the official website between March 4 and March 5 are probably at risk. Those who upgrade to the latest clean and ransomware-free version of Transmission – version 2.92 – by Monday, 11am PT (7pm UTC) should avoid having their files encrypted.
The malicious code has a process name of kernel_service, which can be killed, and it stores its executable in ~/Library/kernel_service, which should be deleted. The latest safe version of Transmission, v2.92, includes a tool to remove the KeRanger ransomware.
"On March 4, we detected that the Transmission BitTorrent installer for OS X was infected with ransomware, just a few hours after installers were initially posted," Xiao and Chen wrote.
"As FileCoder (earlier Mac ransomware) was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.
"It’s possible that Transmission’s official website was compromised and the files were replaced by recompiled malicious versions, but we can’t confirm how this infection occurred."
KeRanger's masterminds could potentially order the ransomware, through its command-and-control server, to immediately begin encrypting files rather than lying in wait for a few days.
KeRanger was cryptographically signed using a now-revoked Apple-issued developer certificate, but will still be accepted by OS X's Gatekeeper protection system. That means if an OS X system is configured to only run software from trusted developers, KeRanger will be allowed to start as it is signed by a developer cert. Apple has added the ransomware's signature to OS X's XProtect mechanism, which screens downloads and blocks malicious code.
KeRanger also contains other dormant features, such as the ability to encrypt OS X Time Machine backups, thus preventing users from restoring their documents from archives. As an interesting aside, the malware's executable was smuggled in an .RTF README file within Transmission. ®