First Working Ransomware, KeRanger Hits Apple Mac

Mac users are usually safe from cyber attack. It’s one of the major benefits of the devices. Apple keeps a tight rein on the software that can be run on them, but over the weekend something terrible happened. The first ransomware attack has hit several Mac users. Ransomware is malicious software that blocks access to files on the infected computer. It works by encrypting the files then charging a premium to have them unencrypted, usually in the form of bitcoin. The attack program infecting Macs is called KeRanger, and is charging 1 bitcoin to unencrypt the afflicted’s files. The current market rate for a bitcoin is around $400

Ransomware Hits Mac

Transmission Alert Ransomware

The ransomware is packaged with the installer of  popular BitTorrent client Transmission. Specifically version 2.90. However, it is still unknown how the malicious code was snuck into the software, meaning future attacks are still possible. Users who have installed the affected version are advised to upgrade to the latest version , 2.92, as soon as they can. The good news is that Apple has revoked the certificate and the Transmission Project has removed the malicious installers.

Security researchers from Palo Alto Network were the first to detect this ransomware lurking in the Transmission BitTorrent installer last Friday. According to the researchers, the ransomware is programmed to sleep for three days before connecting to the attacker’s server. Then, the encryption process will begin so it is expected that most infected machines will start having issues on Monday. The researchers have suggested the following steps to identify and remove the KeRanger files if the user have installed the affected version of Transmission.

  1. Using either Terminal or Finder, check whether /Applications/ General.rtf or /Volumes/Transmission/ General.rtf exist. If any of these exist, the Transmission application is infected and this version of Transmission should be deleted.
  2. With the application “Activity Monitor” in OS X, check if any process named “kernel_service” is running. If such a process is found, double check the process, choose the “Open Files and Ports” and check whether there is a file name similar to “/Users/<username>/Library/kernel_service”. This process is KeRanger’s main process and it should be terminated with “Quit -> Force Quit”.
  3. Users are also recommended to check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” exist in ~/Library directory. These files should be deleted.

In order to protect your system against future attacks, it is important to update the operating system frequently. In addition, it is worth investing in good antivirus software. While browsing the web or checking through emails, users should be careful not to click on suspicious links as malicious software or scripts can be executed from just a single click. Last but not least, it is important to back up important files as this could be your savior if your system and documents are taken hostage by ransomware. It is quite impossible to recover the encrypted files without the decryption key from the attacker, but if all the files were previously backed up, it will be simple to disinfect the system and to restore the files again.