TechSpot

First full OS X Ransomware found inside popular Mac BitTorrent application

By midian182
Mar 7, 2016
Post New Reply
  1. It seems that ransomware is becoming an increasingly popular way to extort money. Last month, a Hollywood hospital handed over $17,000 to attackers after its systems were locked down for ten days following an initial infection by malicious malware. But even as more cyberattackers begin favoring ransomware, there’s never been a reported case of a fully functional version appearing on the Mac. Until now.

    Researchers found the ‘KeRanger’ malware in the newly updated BitTorrent client app Transmission last week. Anyone who downloaded version 2.90 from the website, rather than updating via the app itself, may have infected their systems.

    KeRanger, like all ransomeware, will encrypt users’ files and only hand over the unlock key once a certain amount of money has been paid. In this case, KeRanger demands 1 bitcoin, which is equal to around $404.

    Anyone who has installed an infected version of Transmission won’t notice any problems at first. But after three days, KeRanger will connect to servers via Tor and start encrypting more than 300 types of files. What’s even worse is that this malware will attempt to encrypt Time Machine backup files, removing the option for users to restore a clean backup.

    Versions of Transmission containing KeRanger weren’t flagged by Apple’s Gatekeeper security utility because the installer was signed with a legitimate certificate issued by Apple. The Cupertino company has since revoked the certificate and updated its XProtect antivirus engine.

    It’s still unclear precisely how the infected versions were uploaded to Transmission's website, but Paulo Alto Networks theorizes that the open source project’s “official site was compromised, and the files replaced by re-compiled malicious versions.”

    Researchers say that this is the first fully functioning ransomware to appear on the Mac. Kaspersky Labs discovered the FileCoder ransomware for OS X in 2015, but it was incomplete at the time of its detection.

    The Transmission Project has released a new version of its software and is urging users to “immediately upgrade” and run version 2.92 as it is said to actively remove KeRanger from infected Macs.

    Image credit: mama_mia / Shutterstock

    Permalink to story.

     
  2. Ranger12

    Ranger12 TS Guru Posts: 620   +118

    Do we know if the hashes were compromised as well?
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...