Ransomware is a particularly nasty piece of malware: After
your computer is infected, it encrypts your data and refuses to give you the
key unless you pay its makers a sum of money. Save for any glaring mistakes in
the malware's implementation, paying up is usually the only feasible way to get
your data back, especially if you don't have a backup.
Now, according to security company Palo Alto Networks, the
first functional ransomware that operates on Apple's OS X has been discovered.
Dubbed KeRanger, the malware was embedded with version 2.90
of the Transmission software, normally a legitimate BitTorrent app. It waits
three days before encrypting certain types of data on an infected system, and
then it asks for one bitcoin (around $405) in ransom.
The infected versions of the Transmission installer were
detected on March 4, and anyone who downloaded Transmission 2.90 around that
date may have infected their OS X machine with the KeRanger malware.
Soon after the infection was discovered, Transmission
released a new version of its client, Transmission 2.92, which should be
malware-free.
"Everyone running 2.90 on OS X should immediately
upgrade to and run 2.92, as they may have downloaded a malware-infected file.
This new version will make sure that the “OSX.KeRanger.A” ransomware (more
information available here) is correctly removed from your computer," says
a message on the official Transmission website.
Tips to get rid of the malware
Palo Alto Networks offers some tips for users who think
their system might have been infected. First, in Finder, check for the existence
of a "/Applications/Transmission.app/Contents/Resources/ General.rtf"
or "/Volumes/Transmission/Transmission.app/Contents/Resources/
General.rtf" file. If the file exists, your Transmission app is infected
and you should delete it.
Users should also check, using Activity Monitor, whether
there's a process called "kernel_service" running. If it is, users
should double check the process, select "Open Files and Ports" and
check for a file name like "/Users/<username>/Library/kernel_service".
The "kernel_service" process should be terminated with Quit - Force
Quit.
Those who find an infection on their computer should check
their ~/Library directory for files
named “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service.”
Those files should also be deleted.
How did this happen?
As Transmission is a legitimate OS X app, and it requires an
Apple-signed certificate to be installed, how could the infection happen in the
first place?
According to Palo Alto Networks, two KeRanger-infected Transmission
installers were signed with an Apple-issued certificate. It's not clear how the
malware-infested installers ended up on Transmission's website — the website
could have been hacked, for example, but there's no proof at this point that
this is what happened.
The certificate was later revoked by Apple, so trying to
start an infected version of Transmission should result in a warning dialog,
saying that the app will damage your computer or that it can't be opened.
An Apple spokesperson refused to give any details, besides
reiterating that the company revoked the digital certificate that enabled the
malware to install on Mac computers.
Similar ransom-demanding malware was previously seen on
Windows machines and other operating systems, but not on OS X. In February,
hackers demanded millions of dollars in ransom to decrypt the data belonging to
a Hollywood hospital, though in the end the hospital got out by paying $17,000.
