First Fully Functional Mac Ransomware Spread via Transmission BitTorrent Client

Share this…

Someone hijacked the Transmission BitTorrent client project website to spread ransomware to Mac OS X users. Over the weekend, a malicious party has managed to hack the Transmission BitTorrent client for Mac, infecting it with the first ever fully functional ransomware that targets Mac computers, Palo Alto Networks researchers are reporting.

The infection occurred on March 4, and Palo Alto researchers are saying that someone seems to have hacked the official Transmission website and replaced the legitimate Transmission client for Mac version 2.90 with one that included the KeRanger ransomware.

Mac users have never been targeted with a fully-working ransomware family until now. Previous Mac ransomware included a semi-finished ransomware family named FileCoder, and Mabouia, a ransomware variant built just as a proof-of-concept by a Brazilian security researcher that was never released in the wild.

KeRanger is as dangerous as Windows ransomware

KeRanger, as Palo Alto Networks explains, seems to be a carbon copy of crypto-ransomware families currently targeting Windows and Linux machines.

The ransomware uses AES encryption to lock files, targets over 300 file extension types and demands a 1 Bitcoin payment (~$400). Payment must be made in Bitcoin over a Dark Net (.onion) site.

Palo Alto researchers say that after infecting users, KeRanger will lay in wait for three days before starting its encryption process. This means that some of the people that downloaded the infected Transmission BitTorrent client since March 4 may still have a chance at removing the ransomware from their Mac before their data is encrypted.

Palo Alto provides removal instructions on their site. Once the encryption process is started, files can’t be recovered unless the victim pays the ransom, or they have backups of their data.

Apple has neutralized KeRanger, for the moment

Researchers that looked at the ransomware’s source code are also saying that KeRanger includes unfinished features which in future versions will also target and encrypt Time Machine files, making it impossible to recover files from older system backups.

Additionally, another unfinished feature would allow attackers to run commands on infected computers, making KeRanger a ransomware and a backdoor malware at the same time.

KeRanger was also using a stolen certificate to sign its code, which allowed it to bypass Apple’s GateKeeper protection system. Apple has revoked the certificate in the meantime and has also updated the XProtect antivirus signature to protect future victims from getting infected with this threat.

On the other hand, the Transmission open-source project has removed the malicious binaries from their site and have also issued a new version of their Mac client, version 2.91.

Transmission project delivering v2.91 to their users

Transmission project delivering v2.91 to their users