One of the long-time arguments for buying a Mac over a PC has been security. Whether this was due to the fact that fewer people used Macs or because the OS X operating system was intrinsically more secure is a matter of considerable debate, but the Mac OS has typically been the target of fewer attacks than its PC counterpart. A recent ransomware attack targeting OS X systems has made it clear that this security may not be as ironclad as some think, though both Apple and the affected company have taken steps to solve the problem.
Palo Alto caught KeRanger in action not long after the updated 2.90 version was posted to the Transmission website and notes that there’s a three-day waiting period between when the update is installed and the ransom encryption kicks in. Catching the problem early, and removing the infected software, is key to halting the problem before it spreads.
This screenshot from the Readme demonstrates how the ransomware functions, and what you’re supposed to do to clear your rig. According to Palo Alto Networks: “After connecting to the C2 server and retrieving an encryption key, the executable will traverse the “/Users” and “/Volumes” directories, encrypt all files under “/Users”, and encrypt all files under “/Volumes” which have certain file extensions.”
Palo Alto reports that the developer ID used to sign the infected version of Transmission was different from that used to sign previous versions of the program.
Researchers with Palo Alto networks told Reuters that the Mac BitTorrent client Transmission was found to be infected with the trojan KeRanger. “This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom.” Palo Alto Threat Intelligence Director Ryan Olson told Reuters.
The ransomware was distributed through version 2.90 of Transmission. The Reuters story implies that the distribution was through official channels rather than a hacked copy of the program distributed through a website. Apple revoked the digital certificate Transmission used to install itself, which means infected versions of the application will no longer install to Macintosh systems. Transmission has released an updated version of its software (2.92), which it claims will automatically remove the ransomware installed by the 2.90 version.
If you think you might have been infected by this particular bug, update to the 2.92 version of Transmission immediately. If Palo Alto Networks is correct, the clock is ticking.