First Mac Ransomware: Am I Infected?

If you want to see your files again, cough up one Bitcoin. That's the message some unwitting Mac owners faced after accidentally installing malware on their computers, with the so-called ransomware encrypting their personal data and then charging them the equivalent of around $400 to retrieve it. Dubbed KeRanger, the malware – identified this weekend – is believed to be the first of its kind spotted in the wild.

While the full origins of KeRanger – and those responsible for it – are still being worked out, it's known to have been distributed by a compromised installer for Transmission, a BitTorrent client available for Mac.

Downloaded direct from Transmission's own site, the installer was signed by a legitimate Apple certificate, though not that of the official developers. When installed, it lies dormant for a few days and then sets to work encrypting the user's files: to unlock them, a payment using BitCoin made through the Tor network would be demanded.

Even backups aren't safe, with the malware believed to also target Time Machine records so that users can't roll back to an uninfected state.

The good news is that the pool of infected users is, in the grand scheme of Mac owners, very small. According to Transmission, only around 6,500 downloads of the infected disk image were actually made.

Of that number, even fewer are expected to have seen their systems compromised, what with Apple revoking the app's certificate.

That – and an update to OS X's XProtect, the in-built anti-malware system – means that compromised installs shouldn't, now, be able to run. Anybody trying to load a compromised Transmission installer will either be blocked altogether or shown a number of stern warnings that the software could damage their Mac.

Transmission has replaced the compromised download with a new version, and Apple has pushed out the latest XProtect to all internet-connected Macs automatically. As for those who may be at risk, the big tell is when you downloaded the software.

If that was from the official Transmission website, and between 11:00am PST, March 4, 2016 and 7:00pm PST, March 5, 2016, you might be affected, Palo Alto Networks says.

KeRanger can be identified on an infected Mac by making the following checks, the security research company says:

1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.

2. Using "Activity Monitor" preinstalled in OS X, check whether any process named "kernel_service" is running. If so, double check the process, choose the "Open Files and Ports" and check whether there is a file name like "/Users//Library/kernel_service" (Figure 12). If so, the process is KeRanger's main process. We suggest terminating it with "Quit -> Force Quit".

3. After these steps, we also recommend users check whether the files ".kernel_pid", ".kernel_time", ".kernel_complete" or "kernel_service" existing in ~/Library directory. If so, you should delete them.

It's advised that anybody who downloaded the Transmission installer from a third-party site also go through the checks as soon as possible.

NOW READ: Take a walk through the Malware Museum

Although Macs have a reputation for being malware- and virus-proof, in reality the growing user-base has become an increasing target over the past few years for those who seek file extortion or credit card details. In response, Apple has deployed the Mac App Store, among other things, which subjects third-party Mac software to the same sort of safety checks as applied to downloads on iOS.

Unlike on iPhones and iPads, however, Macs still have an official option to download software from outside of Apple's own App Store. By default, there are warnings before such downloads are installed but, as this case indicates, the risks are still there.