Ransomware has come to the OS X world. Typically focused in the PC world, Palo Alto recently discovered that the Transmission BitTorrent installer for OS X was infected with ransomware they have named “KeRanger”. The only other previously identified ransomware for OS X was FileCoder. It was discovered by Kaspersky Lab in 2014 but was incomplete at its time of discovery. This makes KeRanger the first functional ransomware targeting OS X.
BitTorrent is a communications protocol for peer-to-peer- file sharing. It is one of the most common protocols for transferring large files. Transmission is a free BitTorrent client. It features a variety of user interfaces on top of a cross-platform back-end.
What is Ransomware?
A type of malware, ransomware restricts access to the infected computer system in some way. The user must pay a ransom to the malware operators to remove the restriction.
Ransomware was recently in the news when a California hospital, Hollywood Presbyterian Medical Center, paid the 40 bitcoins – or about $17,000 – ransom when it became a ransomware victim. Typically, the ransom is closer to one bitcoin, or about $400.
How Does KeRanger Work?
KeRanger delays encrypting the user’s hard drive for three days. According to Palo Alto, attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4th. Considering Transmission is an open source project, is it possible that Transmission’s official website was compromised. Since the malware was installed on March 4th, there may be reports of infected Macs as early as today.
Is My Mac Infected?
Only those Macs that have Transmission 2.90, a BitTorrent client, are infected. If you do not use Transmission, you are in the clear and need to do nothing at this time.
If you want to be sure that your Mac is not infected, follow these steps:
- Run Activity Monitor on your Mac. The easiest way to find it is to click on Spotlight, the magnifying glass in the top right corner of your screen, and type ‘Activity Monitor’.
- Check whether any process named “kernel_service” is running. If not, you are not infected.
What Do I Do If I am Infected?
Transmissionbt.com provided the following details on what to do next:
Everyone running 2.90 on OS X should immediately upgrade to 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the “OS X.KeRanger.A” ransomware is correctly removed from your computer.
Users of 2.91 should also immediately upgrade to and run 2.92. Even though 2.91 was never infected, it did not automatically remove the malware-infected file.