For the first time ever, Apple has been forced to shut down a ransomware attack targeting Mac users running OS X. The file-encrypting malware is embedded in version 2.90 of the BitTorrent client Transmission and demands a bitcoin payment of approximately $400. If you are using Transmission 2.90, you are advised to delete it immediately. Here are the steps you need to take.
Image: Daniel Dudek-Corrigan
Transmission issued a warning to Mac users over the weekend that its free BitTorrent client may have been infected with malware. The KeRanger attack is thought to be the first fully-functional instance of ransomware to specifically target Apple machines. Mac owners who wish to continue using Transmission should immediately upgrade to version 2.92, which will actively remove the malware.
Enterprise-level security solutions provider Palo Alto Networks was the first to spot the malware. According to the company's blog, the attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. The installers were signed with a legitimate certificate issued by Apple which allowed the code to bypass Apple’s Gatekeeper protection.
"It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred," Palo Alto explained.
When a user installs the infected apps, an embedded executable file is run on the system. After three days of lurking, the malware connects with command and control (C2) servers over the Tor anonymizer network and starts encrypting data on the system. Victims are then asked to pay one bitcoin to retrieve their inaccessible files.
Transmission Project has since removed the malicious installers from its website while Apple has revoked the certificate and updated XProtect antivirus signature to ensure infected users receive a warning.
Users who have directly downloaded Transmission installer on or before March 5 are advised to perform the following security checks:
- Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
- Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
- After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
For a technical breakdown of how the KeRanger attack works, head to the Palo Alto Networks website.
[Via Palo Alto Networks]