Update: Version 2.92 of Transmission has now been released. This claims to actively remove the ‘KeyRanger’ malware files from the infected Mac.
OS X users have today been hit with the first known case of Mac ‘ransomware’ malware, found in the Transmission BitTorrent client released last week. Infected versions of the app include ‘KeyRanger’ malware that will maliciously encrypt the user’s hard drive after three days of being installed. The malware then asks for payment to allow the user to decrypt the disk and access their data — the ‘ransom’.
As reported by Palo Alto Networks, Apple has already taken steps to curb the spread of the malware through its Gatekeeper security system. This means the infected version of Transmission will no longer install, but it does not help those who have already been affected. Transmission is urgently recommending people upgrade to the latest version of its software, 2.91.
Unlike ‘friendly’ system encryption services, it is becoming increasingly common on Windows for viruses and malware to maliciously encrypt user data. The aim is for the virus maker to raise money by holding the user data ransom until payment is provided, in exchange for the malware to decrypt the drive once again.
The KeyRanger malware currently circulating is the first known instance of ransomware targeted at OS X users. It is not recommended to actually pay the malware as it only encourages further malicious action and there is no guarantee the virus maker will actually do the decryption as promised.
Users worried about being impacted by the ransomware should look for the ‘kernel_service’ process in Activity Monitor. This process is named like a kernel system program as a disguise, but it is actually the KeyRanger malware. If you are impacted, the recommendation is to restore to an earlier backup of your system before you installed Transmission. This is the best way to ensure the virus has been completely removed from the system.
It’s worth noting that the malware has only been detected in the Transmission app to date. It is unknown if it is more widespread, affecting other common apps.
Palo Alto Networks suggests a few other methods to check for the presence of the malware. Their post also includes a lot more detail on the technical implementation of the virus, so check out their post for more information. The security researchers suggest checking for the existence of the file ‘/Applications/Transmission.app/Contents/Resources/General.rtf’ or ‘/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf’. If this file exists, the Transmission app is likely infected. You can also check for the existence of “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” files in the ~/Library directory. Delete the files if they exist.
FTC: We use income earning auto affiliate links. More.
“First OS X ransomware detected in the wild, will maliciously encrypt hard drives on infected Macs”
Hard drives? I should be safe. I use solid state drives.
Are you joking?
If not, it doesn’t make a difference if it’s SSD or not.
no, gravity waves in ssd kills all viruses! >:(
That’s not how the force works!!!!
I sure hope you were joking. SSD and HDD, makes no difference.
This is why I don’t let my default userid have administrator privileges. And why I avoid doing anything that asks for admin userid and password.
Transmission works just fine from a non admin userid. If it tried to encrypt the drive it would fail or ask for admin which I wouldn’t have given it.
This is completely false. Where would you even get a theory like that??
It doesn’t matter if the standard user has write access to their own home directory as well as any external media that may be plugged in. If you can copy a file from a location to another location without being prompted for authentication, then the malware would also have privileges to do the same. The only way this would be stopped from attacking attached media would be if the media mounts as R/X-only.
It would still encrypt all of your files. It is not the same as enabling FDE – it just goes through all files it has permission to (which includes your Documents and Downloads folders) and overwrites them with encrypted versions.
Not true, the app can encrypt your home folder just fine without admin permissions, it would just need admin for the rest of your drive, but if it didn’t have it, it wouldn’t ask and just be content with your documents.
I don’t think all (most?) ransomware works this way. If they are smart, they will just encrypt files in your home directory, and namely stuff outside of ~Library. That way your computer still boots and works normally, but you don’t have access to any of your unique files which are more important to you than Apps or generic system files.
Running as a standard user may not protect you from this.
@dm33 – Can you elaborate on how you do it? Do you have two accounts on your Mac, one with “normal” user, and one with admin?
The details provided in the article are incorrect, that malware does not encrypt the drive, it encrypts files in “/Users” and “/Volumes” directories. So even running from a non admin userid won’t really help, you user files would be encrypted.
Not true. As a user you cannot encrypt /volumes nor /users
dm33 , You are wrong.
The malware isn’t just “Encrypting”. The copy your files to their server, delete your files and put copies of theirs on your pc.
Admin or non-admin, they can copy your files, encrypt them and delete files.
Was KeyRanger slipped in at the source or was the Transmission binary modified and uploaded to third-parties for download?
Could you tell me if that malware was even in the app downloaded from the official website?
FACT: malware downloaded from NON APPLE websites… folks this is why the AppStore exists. If you want to open your door to malware then download cr@p from any website but don’t complain when you get hacked. What Apple cancelled was the Developer Certificate the app was NEVER on the Apple AppStore. STAY AWAY FROM TORRENTS, JUST MOSTLY MALWARE
Yes! (Read it elsewhere, but it seems the real app was infected, it’s not a duplicate or anything so delete or update!)
yes
If you downloaded Transmission 2.90 from March 4th onward from the official site it might be infected. The Transmission site now has a lengthy FAQ for how to detect and kill the randomware. It waits three days before deploying so if you kill it now, it should be okay.
Unfortunately I can’t turn on my Mac till tomorrow, so I really don’t know what to do now. I downloaded the update the day it was released.
@Derexed If you haven’t opened Transmission, delete it and you should be fine. If you have, boot your Mac into Target Disk Mode and using another Mac check for the files in mentioned in the article.
I updated through the prompt that I received through Transmission. I hope I’m ok. I checked the processes and those paths and didn’t find anything
Haven’t used the app but this is the first time I got concerned about a Mac malware! Fortunately didn’t find the process!
According to users on Transmission’s forums, if you updated within the app, you should be fine. If you downloaded the app from their website, or if you tried to update within the app and got an error about a signature issue then went to download the app from their website, you could be affected.
http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/
if you were using in-app updater to download 2.90, you are safe
I actually found very strange 9to5 boast about TransmissionBT update the other day.
How do 9to5mac feel about contributing to spreading malware now?
Especially considering they’ve never mentioned it before in all 9to5 history. Something is not right here.
Are you … serious? Where is your logic?
What a dumb argument. You may as well say OS X has bugs and since 9to5mac talks about OS X, they’re aiding the spread of buggy software. You’re being completely absurd, especially if you are going to imply that 9to5mac somehow knew about the issues and wanted to infect peoples computers, which is the only take away I can make from your last comment.
I was in FaceBook on my MacBook Pro a week ago and clicked on an ad and my screen became locked. Could not close Safari. I immediately click turn Wi-Fi off. I shut down the system, waited a minute or two, rebooted and came up normal. I immediately ran the Malware.app and it downloaded new stuff, And then said I was clean. Knock on wood, I haven’t experienced anything further.
I wouldn’t run Malware.app just because my screen became locked. In fact, I’d never run Malware.app. I don’t even have it installed on my Mac.
What the heck is Malware.app?
Dear Apple
As a customer, I have no need whatever for you expend huge resources ‘protecting’ me from the FBI/NSA/GCHQ
Please do a better job of protecting me from real threats like this.
Those huge resources spent on ‘protecting’ you from government agencies most certainly also protect you from “real threats like these”.
If -YOU- elect to use weak passwords, override bad certificates, disable OS-level security controls, fail to backup regularly, and sloppily use administrative rights, then YOU are opening yourself up to very real threats such as this one.
Apparently this got through using a legitimate certificate. That said, Apples responded quite swiftly and has revoked that certificate.
Some malware is attached to files, apps and content that are obtained from unreliable sources. Torrent sites are notoriously a haven for hackers. It’s where they breed, so if you don’t want this stuff, then don’t use Torrent apps trying to download from Torrent Sites. That’s outside of Apple’s jurisdiction. They can’t prevent certain types of malware if the malware is from another site that Apple doesn’t own/operate. That’s why the best places to get apps are from the mfg directly or through something like the Apple App Store. If you go outside that, then there’s a highly probability of malware.
The other thing to do is to look up the various sites, like Symantec, or other virus protection companies that track the various variants of malware as they will tell you the name of the malware, how to detect it, how to get rid of it, etc. So that is up to the user. Apple can only control what they can control and they don’t control the Torrent sites and Torrent apps.
apple cant protect you from yourself. Because thats who can cause this to happen
Precisely why I stay far away from Torrent sites. Too much potential malware.
I have a PC with windows 7 that hasn’t been updated and no antivirus and it has been downloading torrents since 2012 and still working fine.
Same here. Mac and PC with no av software since the 2000 and never had an issue. It’s about knowing what you’re doing and not clicking on stupid shit. I do have Transmission on my mac but its 2.84 so I’m good. I will update when all of this blows over.
Another reason to use Time Machine. If you have a laptop, set up a network connected Time Machine backup so its always backing up. This way if anything happens your data is safe.
What prevents a malware from encrypting your backups as well? It is just a file on a network drive. You don’t need admin privileges to access that. False sense of security, I am afraid.
Actually you do need admin privileges to access a time capsule bundle over the network
And this comes in a Bit Torrent client. How apropos.
First off, these psychopaths need to be found and imprisoned forever.
Secondly, this shows the failings of the Mac App Store. If all Mac apps were available in the app store then they’d be sandboxed and safe. As it is the Mac App Store is pretty much abandonware at this point.
Meh. These motherfuckers are trying anything to get cash. NEVER pay. This is the same thing that happened with the Ashley Madison breach. Take all the info you have and forward it to the FBI tip line, especially if the blackmailers have given you a bitcoin wallet number. You can do it anonymously and the FBI loves taking these guys down.
Where’s the FBI when real criminals like this target innocent people? Same place they are all the time with their heads up their asses.
Where’s the FBI when you need them?