New OS X ransomware discovered in the wild

KeRanger not only demands $400 in Bitcoin, but also attempts to encrypt files backed up by Apple's Time Machine.
Written by Charlie Osborne, Contributing Writer

A new strain of ransomware which strikes OS X devices has been discovered by researchers.

The ransomware, dubbed KeRanger, was discovered on the legitimate website of open-source BitTorrent client project Transmission, Palo Alto Networks said in a blog post on Sunday.

Ransomware is a virulent type of malware which is on the rise. Often spread through phishing campaigns and malicious files, ransomware focuses on infecting compromised or vulnerable machines for the purpose of encrypting files and locking users out of their PCs and networks.

As highlighted by the recent case of two German hospital networks infected with ransomware, after a system is locked this breed of malware sets up a holding page and demands a ransom to be made in the virtual currency Bitcoin.

Users then often have only two options: restore their files from a previous backup or pay the fine. However, with some older versions of ransomware -- including CryptoLocker -- security experts have released free rescue kits to remove infections.

OS X-based ransomware is far rarer than Windows versions. The only other known type of OS X ransomware in the wild is FileCoder, discovered in 2014. Palo Alto says:

"As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform."

The ransomware was found within two installers of Transmission 2.90 as malicious .dmg files on the official website. The team does not know how the malicious variants wormed their way onto the website, but it may be that the open-source software was recompiled and replaced once the website was compromised by the cyberattacker.

Dubbed KeRanger, the ransomware was signed with a valid Mac application development certificate, which allowed it to bypass Apple's strict Gatekeeper security controls.

Once downloaded, the ransomware launches an executable file on the OS X machine and then waits for three days before connecting to the cyberattacker's command and control (C&C) server over the Tor network.

The malware then begins its spread and file encryption spree, locking the system and demanding a payment of one Bitcoin (roughly $400 at the time of writing).

The researchers say it is possible the ransomware is still under development. There are indicators within the source code which suggest additional features which are under development but have not been finished or implemented yet -- including efforts to create backdoor functionality and encrypt files stored within Apple's Time Machine backup service.

"If these backup files are encrypted, victims would not be able to recover their damaged files using Time Machine," the team says.

After the researchers notified Apple of their findings, the iPad and iPhone maker revoked the certificate which allows the malicious file to download successfully, and now users are warned if they attempt to download and open the fraudulent .dmg file.

In addition, Google has updated XProtect signatures to cover the ransomware family. As of March 5, Transmission removed the malicious files from its website, and content should now be safe to view and download.

If you downloaded the Transmission installer from the official open-source project's website after 11am PST, March 4 and before 7pm PST, March 5 this month, you may have been infected with KeRanger.

However, is it also worthwhile performing a system check for Transmission downloads from third-party websites, too. Transmission warned its visitors that they may have been infected and should update their software.

To see if you have been infected, Mac users should follow the instructions listed by Palo Alto below:

  • Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and you should delete this version.
  • Using "Activity Monitor" preinstalled in OS X, check whether any process named "kernel_service" is running. If so, double check the process, choose the "Open Files and Ports" and check whether there is a file name like "/Users//Library/kernel_service". If so, the process is KeRanger's main process. Terminate it with "Quit -> Force Quit".
  • You should also check whether the files ".kernel_pid", ".kernel_time", ".kernel_complete" or "kernel_service" existing in ~/Library directory. If so, you should delete them.

Top 5 security practices in staying safe online: From the experts

Read on: Top picks

Editorial standards