Researchers from the Palo Alto Networks security company uncovered the "first fully functional” ransomware for Mac OS X within the popular open source Transmission Bittorrent client. The company named this ransomware “KeRanger.”
According to Palo Alto Networks, the attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. The company believes that it is likely that the project’s website was compromised, and then the clean versions of the software were replaced by infected ones.
The KeRanger application was signed with a valid Mac app development certificate so that it was able to bypass Apple’s Gatekeeper protection. Gatekeeper is supposed to restrict the sources from which software can be installed, to prevent users from downloading malware-infected applications. However, Gatekeeper allows apps to be installed if they are signed by a valid certificate.
After the users install the infected app, KeRanger waits for three days before contacting its command-and-control servers over Tor. After that, it begins encrypting files and documents on the users’ computers. The users are then asked to pay one Bitcoin (currently about $411 USD in value) to retrieve their files.
Palo Alto Networks said the malware developers appear to be working on an upgrade that would allow it to encrypt the Time Machine backup files, as well.
The company reported the malware to Apple on March 4, and since then, Apple has already revoked the certificate that was used to sign the infected Transmission installer. Apple also updated its XProtect antivirus to identify this malware’s signature. The Transmission project eliminated the infected files from its website, as well.
If you’ve downloaded the infected Transmission files, Apple will now warn you with these messages: “Transmission.app will damage your computer. You should move it to the Trash,” or “Transmission can’t be opened. You should eject the disk image.”
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.