SecureMac, Inc.

KeRanger Ransomware Takes Macs Ransom for Bitcoin – Ransomware Information & Removal Mac

March 7, 2016

BitTorrent Client Exposes Users to First Known Piece of OS X Ransomware

Unlucky BitTorrent users who installed the latest version of Transmission over the weekend unwittingly exposed themselves to the first known piece of ransomware seen in the wild for OS X. According to a report published on March 4th by the Palo Alto Networks Research Center, hackers figured out a way to bundle ransomware with two different installers for Transmission 2.90. Transmission bills itself as a “fast, easy, and free BitTorrent client.”

According to the Palo Alto Networks report, …

KeRanger Ransomware Takes Macs Ransom for Bitcoin – Ransomware Information & Removal Mac

BitTorrent Client Exposes Users to First Known Piece of OS X Ransomware

Unlucky BitTorrent users who installed the latest version of Transmission over the weekend unwittingly exposed themselves to the first known piece of ransomware seen in the wild for OS X. According to a report published on March 4th by the Palo Alto Networks Research Center, hackers figured out a way to bundle ransomware with two different installers for Transmission 2.90. Transmission bills itself as a “fast, easy, and free BitTorrent client.”

According to the Palo Alto Networks report, the ransomware in question is called KeRanger and was used to infect the Transmission 2.90 installers on the morning of March 4th. As of the March 6th publication of the Palo Alto Networks report, DMG files for the infected installers “were still available for downloading from the Transmission site.” The Transmission website now hosts a message warning users who downloaded 2.90 to upgrade their software to version 2.92. Transmission says that updating to the latest version will check for KeRanger and “make sure” it is removed.

The Details

How did this infection occur, and what does it mean for users of the Transmission BitTorrent client? As of right now, no one is sure how the malware made its way into the Transmission servers. In all likelihood, hackers compromised the Transmission website and replaced the installer files with modified, malicious versions. Such a hack would be similar to what happened with Linux Mint a few weeks ago. In that scenario, cyber criminals were able to build a “modified Linux Mint ISO, with a backdoor in it” and then compromise the official website to point toward the malicious version of the file.

The KeRanger software, since it was bundled with a supposedly “safe” download, was signed by a valid development certificate. In other words, Apple’s Gatekeeper protection wasn’t able to catch the ransomware. To make matters more confusing, KeRanger doesn’t implement right away. Instead, the software waits three days to lock your files and hold them ransom. Based on that timeline, we should see the first incidents starting to occur today.

After this juncture, KeRanger should work more or less like a typical piece of ransomware. The program will encrypt different documents and data logs on the computer and then send messages demanding “ransom” payments to unlock the files. According to the Palo Alto Networks report, KeRanger asks for a payment of one bitcoin, which currently translates to about $400 American dollars.

Apple’s Time Machine Protection

The good news is that some of Apple’s security features will likely help to minimize the damage of KeRanger. Palo Alto Networks reported that, in addition to documents and files, the ransomware was attempting to encrypt Time Machine backups. Such an encryption would have been disastrous because it would have left infected users with only two real options: pay the ransom or lose their files.

Luckily, Time Machine appears to be protected. Cyber security expert Dino A. Dai Zovi tweeted on Sunday that “Mac OS X uses TMSafetyNet text to make [Time Machine] files immutable after creation.” Said another way, Time Machine backups cannot be altered after they are created. KeRangers won’t be able to encrypt those backups, which means that Apple users will hopefully have a way to recover their files should they be infected by the ransomware.

A Wake-Up Call

While Apple’s protective measures could end up saving the day, this time around though, KeRanger should serve as a wake-up call to the Mac community. For years, there has been an assumption among Apple users that Macs don’t get viruses or malware. This hypothesis was born and propagated because most cyber criminals have chosen to focus on the more widely used Windows operating system instead.

Unfortunately, nothing about the OS X operating system is “immune” to ransomware or any other type of malware. As Apple computers become more popular, malware for OS X is going to become more common—particularly now that we’ve seen an in-the-wild piece of ransomware.

Post-Script: Please note that the KeRanger ransomware is NOT the same as popups that lock your web browser, tell you your computer is infected, and ask you to pay a fee to clean up the system. While these two issues might look similar to the untrained eye, a web browser popup is merely a scam that can be ignored by force quitting the web browser. Ransomware like KeRanger, on the other hand, is a real threat that can encrypt your files and make them inaccessible. If you encounter the popup/scam version of this threat, click here to learn how to resolve it.

Removing KeRanger Ransomware

MacScan 3 malware definitions have been updated to detect and remove the KeRanger ransomware. MacScan 3 automatically checks for the most up-to-date malware definitions every time it scans for threats.

Get the latest security news and deals