Skip to main content

First OS X ransomware detected in the wild, will maliciously encrypt hard drives on infected Macs [Update: How to fix]

transmission-mac

 

Update: Version 2.92 of Transmission has now been released. This claims to actively remove the ‘KeyRanger’ malware files from the infected Mac.

OS X users have today been hit with the first known case of Mac ‘ransomware’ malware, found in the Transmission BitTorrent client released last week. Infected versions of the app include ‘KeyRanger’ malware that will maliciously encrypt the user’s hard drive after three days of being installed. The malware then asks for payment to allow the user to decrypt the disk and access their data — the ‘ransom’.

As reported by Palo Alto Networks, Apple has already taken steps to curb the spread of the malware through its Gatekeeper security system. This means the infected version of Transmission will no longer install, but it does not help those who have already been affected. Transmission is urgently recommending people upgrade to the latest version of its software, 2.91.

Unlike ‘friendly’ system encryption services, it is becoming increasingly common on Windows for viruses and malware to maliciously encrypt user data. The aim is for the virus maker to raise money by holding the user data ransom until payment is provided, in exchange for the malware to decrypt the drive once again.

The KeyRanger malware currently circulating is the first known instance of ransomware targeted at OS X users. It is not recommended to actually pay the malware as it only encourages further malicious action and there is no guarantee the virus maker will actually do the decryption as promised.

Users worried about being impacted by the ransomware should look for the ‘kernel_service’ process in Activity Monitor. This process is named like a kernel system program as a disguise, but it is actually the KeyRanger malware. If you are impacted, the recommendation is to restore to an earlier backup of your system before you installed Transmission. This is the best way to ensure the virus has been completely removed from the system.

It’s worth noting that the malware has only been detected in the Transmission app to date. It is unknown if it is more widespread, affecting other common apps.

Palo Alto Networks suggests a few other methods to check for the presence of the malware. Their post also includes a lot more detail on the technical implementation of the virus, so check out their post for more information. The security researchers suggest checking for the existence of the file ‘/Applications/Transmission.app/Contents/Resources/General.rtf’ or ‘/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf’. If this file exists, the Transmission app is likely infected. You can also check for the existence of “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” files in the ~/Library directory. Delete the files if they exist.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. dcj001 - 8 years ago

    “First OS X ransomware detected in the wild, will maliciously encrypt hard drives on infected Macs”

    Hard drives? I should be safe. I use solid state drives.

  2. dm33 - 8 years ago

    This is why I don’t let my default userid have administrator privileges. And why I avoid doing anything that asks for admin userid and password.
    Transmission works just fine from a non admin userid. If it tried to encrypt the drive it would fail or ask for admin which I wouldn’t have given it.

    • kloquewerk - 8 years ago

      This is completely false. Where would you even get a theory like that??

    • It doesn’t matter if the standard user has write access to their own home directory as well as any external media that may be plugged in. If you can copy a file from a location to another location without being prompted for authentication, then the malware would also have privileges to do the same. The only way this would be stopped from attacking attached media would be if the media mounts as R/X-only.

    • Ian Carroll - 8 years ago

      It would still encrypt all of your files. It is not the same as enabling FDE – it just goes through all files it has permission to (which includes your Documents and Downloads folders) and overwrites them with encrypted versions.

    • Alex MacCuish - 8 years ago

      Not true, the app can encrypt your home folder just fine without admin permissions, it would just need admin for the rest of your drive, but if it didn’t have it, it wouldn’t ask and just be content with your documents.

    • Jay Craft - 8 years ago

      I don’t think all (most?) ransomware works this way. If they are smart, they will just encrypt files in your home directory, and namely stuff outside of ~Library. That way your computer still boots and works normally, but you don’t have access to any of your unique files which are more important to you than Apps or generic system files.

      Running as a standard user may not protect you from this.

    • Robert Ziemba - 8 years ago

      @dm33 – Can you elaborate on how you do it? Do you have two accounts on your Mac, one with “normal” user, and one with admin?

    • baussie - 8 years ago

      The details provided in the article are incorrect, that malware does not encrypt the drive, it encrypts files in “/Users” and “/Volumes” directories. So even running from a non admin userid won’t really help, you user files would be encrypted.

      • dm33 - 8 years ago

        Not true. As a user you cannot encrypt /volumes nor /users

      • dm33 , You are wrong.

        The malware isn’t just “Encrypting”. The copy your files to their server, delete your files and put copies of theirs on your pc.

        Admin or non-admin, they can copy your files, encrypt them and delete files.

  3. Was KeyRanger slipped in at the source or was the Transmission binary modified and uploaded to third-parties for download?

  4. Derexed - 8 years ago

    Could you tell me if that malware was even in the app downloaded from the official website?

    • Donald Dillard - 8 years ago

      FACT: malware downloaded from NON APPLE websites… folks this is why the AppStore exists. If you want to open your door to malware then download cr@p from any website but don’t complain when you get hacked. What Apple cancelled was the Developer Certificate the app was NEVER on the Apple AppStore. STAY AWAY FROM TORRENTS, JUST MOSTLY MALWARE

    • Anthony (@AnthonyKeats) - 8 years ago

      Yes! (Read it elsewhere, but it seems the real app was infected, it’s not a duplicate or anything so delete or update!)

    • macrepublic - 8 years ago

      yes

    • AeronPeryton - 8 years ago

      If you downloaded Transmission 2.90 from March 4th onward from the official site it might be infected. The Transmission site now has a lengthy FAQ for how to detect and kill the randomware. It waits three days before deploying so if you kill it now, it should be okay.

      • Derexed - 8 years ago

        Unfortunately I can’t turn on my Mac till tomorrow, so I really don’t know what to do now. I downloaded the update the day it was released.

      • Timur Tripp - 8 years ago

        @Derexed If you haven’t opened Transmission, delete it and you should be fine. If you have, boot your Mac into Target Disk Mode and using another Mac check for the files in mentioned in the article.

  5. Victor (@torrent82) - 8 years ago

    I updated through the prompt that I received through Transmission. I hope I’m ok. I checked the processes and those paths and didn’t find anything

  6. Haven’t used the app but this is the first time I got concerned about a Mac malware! Fortunately didn’t find the process!

  7. fishbert (@fishbert) - 8 years ago

    According to users on Transmission’s forums, if you updated within the app, you should be fine. If you downloaded the app from their website, or if you tried to update within the app and got an error about a signature issue then went to download the app from their website, you could be affected.

  8. macrepublic - 8 years ago

    if you were using in-app updater to download 2.90, you are safe

  9. Jurgis Ŝalna - 8 years ago

    I actually found very strange 9to5 boast about TransmissionBT update the other day.

    How do 9to5mac feel about contributing to spreading malware now?

    • Jurgis Ŝalna - 8 years ago

      Especially considering they’ve never mentioned it before in all 9to5 history. Something is not right here.

      • Scott Buscemi - 8 years ago

        Are you … serious? Where is your logic?

      • Smigit - 8 years ago

        What a dumb argument. You may as well say OS X has bugs and since 9to5mac talks about OS X, they’re aiding the spread of buggy software. You’re being completely absurd, especially if you are going to imply that 9to5mac somehow knew about the issues and wanted to infect peoples computers, which is the only take away I can make from your last comment.

  10. ChuckSr Salzmann Sr - 8 years ago

    I was in FaceBook on my MacBook Pro a week ago and clicked on an ad and my screen became locked. Could not close Safari. I immediately click turn Wi-Fi off. I shut down the system, waited a minute or two, rebooted and came up normal. I immediately ran the Malware.app and it downloaded new stuff, And then said I was clean. Knock on wood, I haven’t experienced anything further.

    • standardpull - 8 years ago

      I wouldn’t run Malware.app just because my screen became locked. In fact, I’d never run Malware.app. I don’t even have it installed on my Mac.

    • Ryan - 8 years ago

      What the heck is Malware.app?

  11. John Smith - 8 years ago

    Dear Apple

    As a customer, I have no need whatever for you expend huge resources ‘protecting’ me from the FBI/NSA/GCHQ

    Please do a better job of protecting me from real threats like this.

    • standardpull - 8 years ago

      Those huge resources spent on ‘protecting’ you from government agencies most certainly also protect you from “real threats like these”.

      If -YOU- elect to use weak passwords, override bad certificates, disable OS-level security controls, fail to backup regularly, and sloppily use administrative rights, then YOU are opening yourself up to very real threats such as this one.

      • Smigit - 8 years ago

        Apparently this got through using a legitimate certificate. That said, Apples responded quite swiftly and has revoked that certificate.

    • Rich Davis (@RichDavis9) - 8 years ago

      Some malware is attached to files, apps and content that are obtained from unreliable sources. Torrent sites are notoriously a haven for hackers. It’s where they breed, so if you don’t want this stuff, then don’t use Torrent apps trying to download from Torrent Sites. That’s outside of Apple’s jurisdiction. They can’t prevent certain types of malware if the malware is from another site that Apple doesn’t own/operate. That’s why the best places to get apps are from the mfg directly or through something like the Apple App Store. If you go outside that, then there’s a highly probability of malware.

      The other thing to do is to look up the various sites, like Symantec, or other virus protection companies that track the various variants of malware as they will tell you the name of the malware, how to detect it, how to get rid of it, etc. So that is up to the user. Apple can only control what they can control and they don’t control the Torrent sites and Torrent apps.

    • John Angelo - 8 years ago

      apple cant protect you from yourself. Because thats who can cause this to happen

  12. Rich Davis (@RichDavis9) - 8 years ago

    Precisely why I stay far away from Torrent sites. Too much potential malware.

    • I have a PC with windows 7 that hasn’t been updated and no antivirus and it has been downloading torrents since 2012 and still working fine.

      • Same here. Mac and PC with no av software since the 2000 and never had an issue. It’s about knowing what you’re doing and not clicking on stupid shit. I do have Transmission on my mac but its 2.84 so I’m good. I will update when all of this blows over.

  13. moo083 - 8 years ago

    Another reason to use Time Machine. If you have a laptop, set up a network connected Time Machine backup so its always backing up. This way if anything happens your data is safe.

    • baussie - 8 years ago

      What prevents a malware from encrypting your backups as well? It is just a file on a network drive. You don’t need admin privileges to access that. False sense of security, I am afraid.

      • iJonni - 8 years ago

        Actually you do need admin privileges to access a time capsule bundle over the network

  14. Lawrence Krupp - 8 years ago

    And this comes in a Bit Torrent client. How apropos.

  15. Inaba-kun (@Inaba_kun) - 8 years ago

    First off, these psychopaths need to be found and imprisoned forever.

    Secondly, this shows the failings of the Mac App Store. If all Mac apps were available in the app store then they’d be sandboxed and safe. As it is the Mac App Store is pretty much abandonware at this point.

  16. Ashe Blackthorne - 8 years ago

    Meh. These motherfuckers are trying anything to get cash. NEVER pay. This is the same thing that happened with the Ashley Madison breach. Take all the info you have and forward it to the FBI tip line, especially if the blackmailers have given you a bitcoin wallet number. You can do it anonymously and the FBI loves taking these guys down.

  17. scumbolt2014 - 8 years ago

    Where’s the FBI when real criminals like this target innocent people? Same place they are all the time with their heads up their asses.

  18. Where’s the FBI when you need them?

Author

Avatar for Benjamin Mayo Benjamin Mayo

Benjamin develops iOS apps professionally and covers Apple news and rumors for 9to5Mac. Listen to Benjamin, every week, on the Happy Hour podcast. Check out his personal blog. Message Benjamin over email or Twitter.