Ransomware is a particularly nasty piece of malware: After your computer is infected, it encrypts your data and refuses to give you the key unless you pay its makers a sum of money. Save for any glaring mistakes in the malware's implementation, paying up is usually the only feasible way to get your data back, especially if you don't have a backup.
Now, according to security company Palo Alto Networks, the first functional ransomware that operates on Apple's OS X has been discovered.
Dubbed KeRanger, the malware was embedded with version 2.90 of the Transmission software, normally a legitimate BitTorrent app. It waits three days before encrypting certain types of data on an infected system, and then it asks for one bitcoin (around $405) in ransom.
The infected versions of the Transmission installer were detected on March 4, and anyone who downloaded Transmission 2.90 around that date may have infected their OS X machine with the KeRanger malware.
Soon after the infection was discovered, Transmission released a new version of its client, Transmission 2.92, which should be malware-free.
"Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the “OSX.KeRanger.A” ransomware (more information available here) is correctly removed from your computer," says a message on the official Transmission website.
Tips to get rid of the malware
Palo Alto Networks offers some tips for users who think their system might have been infected. First, in Finder, check for the existence of a "/Applications/Transmission.app/Contents/Resources/ General.rtf" or "/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf" file. If the file exists, your Transmission app is infected and you should delete it.
Users should also check, using Activity Monitor, whether there's a process called "kernel_service" running. If it is, users should double check the process, select "Open Files and Ports" and check for a file name like "/Users/<username>/Library/kernel_service". The "kernel_service" process should be terminated with Quit - Force Quit.
Those who find an infection on their computer should check their ~/Library directory for files named “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service.” Those files should also be deleted.
How did this happen?
As Transmission is a legitimate OS X app, and it requires an Apple-signed certificate to be installed, how could the infection happen in the first place?
According to Palo Alto Networks, two KeRanger-infected Transmission installers were signed with an Apple-issued certificate. It's not clear how the malware-infested installers ended up on Transmission's website — the website could have been hacked, for example, but there's no proof at this point that this is what happened.
The certificate was later revoked by Apple, so trying to start an infected version of Transmission should result in a warning dialog, saying that the app will damage your computer or that it can't be opened.
An Apple spokesperson refused to give any details, besides reiterating that the company revoked the digital certificate that enabled the malware to install on Mac computers.
Similar ransom-demanding malware was previously seen on Windows machines and other operating systems, but not on OS X. In February, hackers demanded millions of dollars in ransom to decrypt the data belonging to a Hollywood hospital, though in the end the hospital got out by paying $17,000.