New OS X Ransomware KeRanger Infected Transmission BitTorrent Client ⇥ researchcenter.paloaltonetworks.com
Claud Xiao and Jin Chen of Palo Alto Networks:
On March 4, we detected that the Transmission BitTorrent [client] installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform. […]
The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
Ransomware is especially frustrating because it doesn’t mess up your data so much as hold it ransom. I can’t imagine trying to understand the situation for as a regular user with a single computer infected by it, let alone an entire hospital. It’s affected scores of Windows users for a long time and, while I haven’t heard of KeRanger causing major damage in the wild — so to speak — it’s still cause for concern.
If you use Transmission, be sure to upgrade to version 2.92 which is not infected with the malware and will remove it from the package. Palo Alto Networks also has instructions for users to figure out if they are infected, and to remove KeRanger if they are.