Warning: First Fully Functional OS X Ransomware Targets Mac Users

Warning: First Fully Functional OS X Ransomware Targets Mac Users

Posted by · 12918 views · Translate
Over the weekend, hackers managed to infect the open source Transmission BitTorrent app with the first fully functional ransomware seen on OS X, reports Palo Alto Networks.

Dubbed 'KeRanger', the ransomware was inserted into two installers of Transmission 2.9 on March 4th. It's unclear how the files were replaced with infected versions but the website may have been compromised.

The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.

After the issued was reported, the Transmission Project removed the malicious installers and Apple updated it's XProtect antivirus signatures and revoked the abused certificate to prevent further installations. If you downloaded Transmission between 11:00am PST, March 4th, 2016 and before 7:00pm PST, March 5th, 2016, you may be infected.

Here's the steps Palo Alto Networks recommends you take to identify and remove the ransomware:

● Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
● Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
● After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.

Hit the link below for more details on how the ransomware works...

Read More


Warning: First Fully Functional OS X Ransomware Targets Mac Users
Richard Burns - March 7, 2016 at 7:30pm
Try doing it the old fashioned way. If you can get another Mac boot up the infected machine using target disk mode and clean it using Sophos, worth a shot?
MartyNet - March 7, 2016 at 4:05pm
If you think the only use for torrent is pirating then you don't understand why it was created or who else uses it.
Average Reviewer - March 7, 2016 at 3:41pm
This is what you get for pirating stuff. Stop pirating and you won't have a need for torrent files or a torrent file manager :)
Ipol - March 7, 2016 at 5:16am
I am infected... Any of the solution proposed work to remove properly.. It wont let me delete kernel in library and force quit kernel service in running task... F*ck
morecrap - March 7, 2016 at 5:13am
I can confirm that I upgraded from within the app and was not affected. Everyone should update to the latest 2.92 release that is specifically supposed to remove the ransomware from your Mac.
4 More Comments
Recent