Transmission OS X BitTorrent client infected with KeRanger ransomware

Transmission OS X BitTorrent client infected with KeRanger ransomware

Palo Alto Networks security firm reports on its blog post, that it discovered the first-ever ransomware, which affects the OS X operating system. They discovered the KeRanger ransomware bundled into two Transmission 2.90 bittorrent client installers, available right on the open-source project’s webpage. After this unfortunate discovery, Apple and Transmission were notified right away. Apple managed to revoke the Mac app development certificate, that allowed the ransomware to bypass Gatekeeper on OS X and the infected installers were removed form the Transmission website.  Here is a detailed description of how the KeRanger ransomware works :

“If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.”

Is your Mac computer safe?

It depends if you downloaded a Transmission installer client between 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016. After the later date, the malicious installers were removed from the Transmission’s website. Although there are no reports regarding 3rd party websites that provide free software.  If you are using an infected version of Transmission the below dialog will appear.

Transmission 2.90 KeRanger ransomware warning
                                                   Gatekeeper warning

Hopefully non of you downloaded the malicious file and you are all safe.

Leave a Reply

Your email address will not be published. Required fields are marked *