First Virus to Hit Apple Mac Users
How KeRanger Works
Once a victim of KeRanger installs the infected versions of the Transmission app, KeRanger malware embeds itself in the victim’s machine and encrypts the hard drive – containing important documents, images and video files, as well as email archives and databases – after 3 days.
The KeRanger malware then asks the victim to pay 1 Bitcoin as the ransom amount to allow the victim to decrypt the hard drive and regain access to his/her important files.
The malware imposes a 72-hour lockout window unless the payment is made.
Though it is still unclear how the hackers managed to compromise the app and upload the infected files, it is believed that they managed to hack the Transmission website as the site was served via HTTP instead of HTTPS.
How to Protect against KeRanger
The security researchers suggested users check for the existence of the following files on their machines:
/Applications/Transmission.app/Contents/Resources/General.rtf
/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf
If any of the above files exists, your Transmission app is likely infected with the new ransomware.
The malicious code also has a process name of “kernel_service”, “kernel_pid”, “.kernel_time” or “.kernel_complete,” which can be killed, and stores its executable in the ~/Library directory. Delete these files if they exist.
The Transmission developers released an updated version 2.92 of the Transmission app to ensure the KeRanger malware files are actively removed.
If you downloaded a vulnerable copy of Transmission from the web before the weekend, you must uninstall it now and upgrade to a clean 2.92 version of the software.
“Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file,” Transmission posted this message in Red on its website.
Specifically, downloads of Transmission version 2.90 were infected with the ransomware code that will encrypt your files after 3 days and demand a payment of $410 in Bitcoin to regain control.
It is worth noting that KeRanger has currently been detected only in the Transmission app for Mac. However, if the malware is widespread, it could affect other common Mac apps as well.