OS X affected with KeRanger
KeRanger ransomware hits Mac OS X Reuters

A new malicious software targeting Apple's Mac computers has been discovered recently. Although a ransomware called FileCoder was earlier detected in 2014, the latest one is believed to be the first fully functional ransomware found in the OS X platform.

Ransomware, a type of malware, is one of the fastest-growing cyber threats. It encrypts data on infected machines, then asks users to pay a ransom to get an electronic key in order to retrieve data.

Details about the new ransomware dubbed KeRanger were first revealed by researchers at well-known cybersecurity firm Palo Alto Networks. They claim the malicious software was signed by the attackers with a valid Mac app development certificate, hence the malware was able to trick Apple's Gatekeeper, the security protection of Mac OS X operating system.

KeRanger ransomware

When a user installs any app infected with KeRanger, an executable file runs on the Mac and the malware then waits for about three days before it connects the system with command and control (C2) servers over the Tor anonymizer network.

The malware then begins encrypting certain files on the Mac and once the encryption is completed, the KeRanger malware demands that victims pay one bitcoin, which is about $400 (£282, €365) to retrieve their files. The malware even attempts to encrypt Time Machine backup files to prevent victims from recovering their data.

According to security experts, the ransoms come up to hundreds of millions of dollars a year from these cybercriminals, who usually target Microsoft Windows users. "This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom," Ryan Olson, Palo Alto Threat Intelligence director told Reuters.

After becoming aware of the issue, Apple has revoked the abused app development certificate. Apple's Gatekeeper will now block the malicious installers. It has also updated the XProtect antivirus, which has been automatically updated to all Mac computers now.

Transmission BitTorrent installer for Mac OS X

The hackers infected Mac through a copy of the popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network. Transmission is an open source project, whose official website has been compromised by the attackers and files were replaced by malicious software. The hackers infected two installers of Transmission version 2.90 with KeRanger.

Meanwhile, the Transmission Project has also removed the malicious installer from its website. Palo Alto said those who are using the older version of Transmission are not affected with this ransomware. Those who downloaded Transmission installer from its official website between 4 and 5 March might have been infected by KeRanger.

How to protect your Mac against KeRanger ransomware

If you have downloaded the Transmission installer before the said time and from any third-party, you must do the following security check to remove the infected files:

  • Using either Terminal or Finder to check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist it means the Transmission app is infected. Users are advised to delete this version of Transmission.
  • Using Activity Monitor preinstalled in OS X, check whether any process named "kernel_service" is running. If so, choose the "Open Files and Ports" and check whether there is a file named "/Users//Library/kernel_service" (Figure 12). In that case, terminate it with "Quit -> Force Quit".
  • Users are also recommend to check whether the files ".kernel_pid", ".kernel_time", ".kernel_complete" or "kernel_service" exists in ~/Library directory and then delete them.
More about Mac