It’s a scary day for Torrent users everywhere. Transmission, which is one of the most used non-commercial BitTorrent clients and a popular choice of Mac users, has earned the tag of being the first OS X program to be infected with ransomware.
On the website, Transmissionbt.com, the users running Transmission client version 2.90 are asked to immediately upgrade their application and run the latest version 2.92. The website reads that it’s possible that users may have downloaded a malware-infected file. Uncovered by the researchers with Palo Alto Networks Inc., the KeRanger malware is the first functioning ransomware attacking Apple’s Mac devices.
It’s a known fact that the cyber threat of ransomware has risen manifold over the past years. While these were known to typically target the users of Microsoft’s Windows operating systems, the new malware encrypts your computer and demands a Bitcoin payment to decrypt it.
After targeting your Mac, the malware begins encrypting certain types of document and data files. After the process is completed, KeRanger demands that the victim pays one bitcoin (USD$400) to a specific address to retrieve their files. The researchers mention that the malware appears to be under active development and it seems that it also attempts to encrypt Time Machine backup files to forbid the victims from recovering their back-up. That’s some scary shit.
Digging deeper, the two KeRanger infected Transmission installers are signed with a legitimate Apple-issued certificate but its developer ID is different from the previous versions. The ransomware-infected file also includes an extra file named General.rtf whose icon looks like a normal RTF file but it’s a Mach-O format executable file. “As soon as a user clicks on an infected app, their bundle executable copies this RTF file to
Here’s a screenshot:
How to protect yourself against KeRanger — the world’s first Mac ransomware?
- Using your Mac’s Finder or Terminal, look for /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf.
- Open the preinstalled Activity Monitor in OS X and check if a process named “kernel_service” is running. If so, choose Open Files and Ports and look for a file /Users/<username>/Library/kernel_service. This is KeRanger’s main process and you are suggested to terminated it using Force Quit option.
- After the above steps, users are also advised to check if these files are existing in ~/Library directory: .kernel_pid, .kernel_time, .kernel_complete or kernel_service. If you locate these, delete them.