Mac users are immune to being held ransom no longer with news at the weekend that the first ransomware has been discovered in software designed for Apple, Inc.’s OS X operating system.

Dubbed “KeRanger” by Palo Alto Networks, Inc., the security firm that discovered it, the ransomware was distributed with open-source BitTorrent client Transmission and infected version 2.90 of the software as downloaded directly from the Transmission site itself.

Disturbingly, the KeRanger application was signed with a valid Mac app development certificate, meaning that it bypasses the OS X Gatekeeper protection that is supposed to protect users against infected applications.

Once a user installs an infected copy of Transmission KeRanger does nothing from the start, and instead stays dormant for 3 days until it starts to wreak havoc on an infected Mac.

Upon activation, KeRanger is said to connect with command control services (C2) via the Tor network, then starts to encrypt certain files on the infected system; this is then followed by the now all too standard ransomware demand, in this case, a demand that the victim pays 1 Bitcoin ($401.70 at the time of writing) to a specific Bitcoin wallet address to have access to their files returned.

Transmission itself alerted users with a message reading:

Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file.

Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service”. If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”

Fix

Apple has been made aware of the issue and has revoked the abused certificate, meaning that OS X’s Gatekeeper will now block an infected installer, and has also updated XProtect, OS X’s built-in malware detection tool to detect KeRanger.

On top of the advice given from Transmission (see above), Palo Alto Networks recommends that Transmission users who have installed the infected version do the following to detect and remove the ransomware:

1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/<username>/Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.

 Image credit: adogcalledstray/Flickr/CC by 2.0