Dubbed 'KeRanger', the ransomware was inserted into two installers of Transmission 2.9 on March 4th. It's unclear how the files were replaced with infected versions but the website may have been compromised.
The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
After the issued was reported, the Transmission Project removed the malicious installers and Apple updated it's XProtect antivirus signatures and revoked the abused certificate to prevent further installations. If you downloaded Transmission between 11:00am PST, March 4th, 2016 and before 7:00pm PST, March 5th, 2016, you may be infected.
Here's the steps Palo Alto Networks recommends you take to identify and remove the ransomware:
● Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
● Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/
● After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
Hit the link below for more details on how the ransomware works...