A ransomware attack targeted at Mac computers managed to affect more than 6,000 machines. That may not seem like a huge number of computers when compared to to massive attacks against some Windows machines, but it is significant. It means that Macs are on the radar of those who create ransomware, and this certainly won’t be the last attack.
The ransomware is called KeRanger. It locked up files and then demanded around $400 to unlock them.
The malware made its way onto Macs through the Transmission BitTorrent client ( a bitTorrent client allows you to distribute large files peer-to-peer). The attackers managed to infect the installers for Transmission 2.9.
This malware had a valid Mac app developer certificate, so it was able to bypass Apple security. If you were to install the program, it would wait for three days to strike. The malware could then begin to encrypt document and data files on your Mac. Then you would see a screen demanding that you pay around $400 to have access to your own files. Among the files encrypted by this ransomware are documents, images, audio, music, archived files and e-mail.
Security researchers at Palo Alto Networks say they also see signs that the malware tries to encrypt the Mac’s Time Machine backup to prevent you from recovering your data.
Since Transmission is an open-source project, it appears hackers may have hacked Transmission website and replaced their original files with malicious versions.
Fortunately, this issue was discovered pretty quickly. Transmission developers removed the files and Apple revoked the security certificate for the program.
If you happened to download Transmission installer on or before March 5, it’s suggested you perform the following security checks.
Using either Terminal or Finder, check whether /Applications// or /Volumes/Transmission/ / exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.